MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 277e2a14e0391a77efa3e327dd14d6fb2995642b5e69a8a67bd644c90ff6fd3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 277e2a14e0391a77efa3e327dd14d6fb2995642b5e69a8a67bd644c90ff6fd3f
SHA3-384 hash: 76ac75900137d0930baf3ce1e70b084449cd2638255c4269116156bdf17eb9d93f804118a03583f5b994b8ed66f14930
SHA1 hash: d05582a302ea2a078c7ab2d59d9e4a6ed17e0ef9
MD5 hash: 0c11e82ba24a404d3a0d1031b423ac5b
humanhash: stairway-juliet-skylark-bulldog
File name:key.license.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:1'978'368 bytes
First seen:2025-08-21 18:26:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fadc5a257419d2541a6b13dfb5e311e2 (14 x XWorm, 5 x StormKitty, 3 x CoinMiner)
ssdeep 49152:b2EYTb8atv1orq+pEiSDTj1VyvBaBErpI4HuNqpEw1cyGdqu1:KXbIrqHsH0YlvGo2
TLSH T1AD95CF0973A481ADFEA7D177CA12C617D7B17C4A4236861F01A4BB762F337716A2E321
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon 58c8d1d0cecbeeec (18 x AsyncRAT, 9 x XWorm, 6 x QuasarRAT)
Reporter burger
Tags:AutoIT exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
key.license.exe
Verdict:
Malicious activity
Analysis date:
2025-08-21 18:24:46 UTC
Tags:
autoit evasion remote xworm auto generic
Link:
https://app.any.run/tasks/8078d948-255f-438a-baab-2e5b035aaa5d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22846/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a764eb8fd55a79c529d7a2
Tags:
autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Connection attempt
Sending an HTTP GET request
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Launching cmd.exe command interpreter
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Possible injection to a system process
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm autoit compiled-script fingerprint keylogger microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/68a765227137d6845836608b/reports/2a11766e-00a7-412a-bfb0-4bb3618acbb3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/277e2a14e0391a77efa3e327dd14d6fb2995642b5e69a8a67bd644c90ff6fd3f
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d30fa128-84d7-4865-8d72-ac60d1e35314
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1762329
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Binary is likely a compiled AutoIt script file
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1762329 Sample: key.license.exe Startdate: 21/08/2025 Architecture: WINDOWS Score: 100 53 nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs 2->53 57 Antivirus / Scanner detection for submitted sample 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Sigma detected: Drops script at startup location 2->61 63 4 other signatures 2->63 10 key.license.exe 4 2->10         started        15 wscript.exe 1 1 2->15         started        signatures3 process4 dnsIp5 55 185.208.159.143, 49718, 80 SIMPLECARRER2IT Switzerland 10->55 51 C:\Users\user\...\AdobeReader_82648.pif, PE32 10->51 dropped 77 Drops PE files to the document folder of the user 10->77 79 Binary is likely a compiled AutoIt script file 10->79 81 Drops PE files with a suspicious file extension 10->81 17 cmd.exe 1 10->17         started        83 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->83 19 SwiftWrite.pif 1 15->19         started        file6 signatures7 process8 file9 23 AdobeReader_82648.pif 6 17->23         started        27 conhost.exe 17->27         started        41 C:\Users\user\AppData\Local\...\jsc.exe, PE32 19->41 dropped 65 Writes to foreign memory regions 19->65 67 Injects a PE file into a foreign processes 19->67 29 jsc.exe 1 19->29         started        signatures10 process11 file12 43 C:\Users\user\Documents\...\jsc.exe, PE32 23->43 dropped 45 C:\Users\user\AppData\...\SwiftWrite.pif, PE32 23->45 dropped 47 C:\Users\user\AppData\...\QuzMuzWara.url, MS 23->47 dropped 49 C:\Users\user\AppData\Local\...\SwiftWrite.js, ASCII 23->49 dropped 69 Drops PE files to the document folder of the user 23->69 71 Drops PE files with a suspicious file extension 23->71 73 Writes to foreign memory regions 23->73 75 Injects a PE file into a foreign processes 23->75 31 jsc.exe 23->31         started        33 cmd.exe 2 23->33         started        35 jsc.exe 23->35         started        signatures13 process14 process15 37 WerFault.exe 4 31->37         started        39 conhost.exe 33->39         started       
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/277e2a14e0391a77efa3e327dd14d6fb2995642b5e69a8a67bd644c90ff6fd3f
Verdict:
Malware
YARA:
7 match(es)
Tags:
AutoIt Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Suspect Win 64 Exe x64
Link:
https://app.malva.re/file/0c11e82ba24a404d3a0d1031b423ac5b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/277e2a14e0391a77efa3e327dd14d6fb2995642b5e69a8a67bd644c90ff6fd3f/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/277e2a14e0391a77efa3e327dd14d6fb2995642b5e69a8a67bd644c90ff6fd3f
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-08-21 18:26:53 UTC
File Type:
PE+ (Exe)
Extracted files:
16
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e57cufhahenhp35d4mt52fgw7muzkzbllzu2rjt32zcmsd7w7u7q._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery rat trojan
Link:
https://tria.ge/reports/250821-w34kgswqv9/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Detect Xworm Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm
Xworm family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9192a772-4e2a-4d23-978c-9bb8568db0bd
Unpacked files
SH256 hash:
277e2a14e0391a77efa3e327dd14d6fb2995642b5e69a8a67bd644c90ff6fd3f
MD5 hash:
0c11e82ba24a404d3a0d1031b423ac5b
SHA1 hash:
d05582a302ea2a078c7ab2d59d9e4a6ed17e0ef9
Link:
https://www.unpac.me/results/6ec1d6a4-b124-48ac-b00b-6f4e3debf257/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/22846/

Comments