MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 295a1fe5ff733dde577267491fa637a43dfb21930c60e996121eeec21d98d528. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 295a1fe5ff733dde577267491fa637a43dfb21930c60e996121eeec21d98d528
SHA3-384 hash: 1f088c9998b24ad5b6728544d86a3a01ce688b5c42ae9fd9b9f6823bcc318ca9f2ff2ab9515de048545837aaa673cb62
SHA1 hash: 059f84529641a772f564f0afa890fd4260ec3a06
MD5 hash: 066ea1397f09fed558600e6c4bc7c1e4
humanhash: undress-carolina-island-hamper
File name:фактура отпремни документ бр. 56Д86Л.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:577'544 bytes
First seen:2024-11-06 19:30:40 UTC
Last seen:2024-11-06 21:27:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:4oSoGX2ry3mFpqjgS+CLuE0Fq7qUckNxxA7WkR:RSoGmr8mFpq8SjLuS7qjkNK
TLSH T1A9C4CFD03B327714DEA95A34D169EDBA92F11AA8B004BAF725DC3B5734CC221AE0CF55
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon ccd4ccccf8ccc8f8 (2 x SnakeKeylogger, 1 x Formbook, 1 x RemcosRAT)
Reporter TeamDreier
Tags:exe xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
419
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
фактура отпремни документ бр. 56Д86Л.exe
Verdict:
Suspicious activity
Analysis date:
2024-11-06 19:33:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0b2891f9-4a38-42ce-b711-ea0bb7da62dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.AgentTeslaNET.44.23126.15144.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672bc41b8d23d90491347674
Tags:
powershell infosteal
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/295a1fe5ff733dde577267491fa637a43dfb21930c60e996121eeec21d98d528
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6d4586d-4b7a-4f38-9ecc-7446ca109e78
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1550553
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1550553 Sample: 86#U041b.exe Startdate: 06/11/2024 Architecture: WINDOWS Score: 100 48 pastebin.com 2->48 54 Suricata IDS alerts for network traffic 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Sigma detected: Scheduled temp file as task from temp location 2->58 62 10 other signatures 2->62 8 86#U041b.exe 7 2->8         started        12 FeAlvpvraR.exe 5 2->12         started        signatures3 60 Connects to a pastebin service (likely for C&C) 48->60 process4 file5 40 C:\Users\user\AppData\...\FeAlvpvraR.exe, PE32 8->40 dropped 42 C:\Users\...\FeAlvpvraR.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmp4318.tmp, XML 8->44 dropped 46 C:\Users\user\AppData\...\86#U041b.exe.log, ASCII 8->46 dropped 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 8->66 68 Adds a directory exclusion to Windows Defender 8->68 14 powershell.exe 23 8->14         started        17 powershell.exe 23 8->17         started        19 86#U041b.exe 15 2 8->19         started        22 schtasks.exe 1 8->22         started        70 Multi AV Scanner detection for dropped file 12->70 72 Machine Learning detection for dropped file 12->72 24 schtasks.exe 12->24         started        26 FeAlvpvraR.exe 12->26         started        28 FeAlvpvraR.exe 12->28         started        signatures6 process7 dnsIp8 74 Loading BitLocker PowerShell Module 14->74 30 conhost.exe 14->30         started        32 WmiPrvSE.exe 14->32         started        34 conhost.exe 17->34         started        50 84.38.130.134, 49729, 7000 DATACLUBLV Latvia 19->50 52 pastebin.com 104.20.3.235, 443, 49719 CLOUDFLARENETUS United States 19->52 36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        signatures9 process10
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/295a1fe5ff733dde577267491fa637a43dfb21930c60e996121eeec21d98d528
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/295a1fe5ff733dde577267491fa637a43dfb21930c60e996121eeec21d98d528/
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-11-05 03:42:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ffnb7zp7om654v3sm5er7jrxuq67wimtbrqotfqsd3xmehmy2uua._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
xworm
Create hunting rule
Similar samples:
error
XWorm
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/241106-x8c56avqh1/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/85dcdfbc-5303-4723-94e3-7d43e3f871d4
Unpacked files
SH256 hash:
a5a7e6a9e21fbd9e575e5db94921292cd3bc570fb1ce80fc73b25e97f5e85c40
MD5 hash:
bc31bb958eebccbf3e07b9fb50164233
SHA1 hash:
98e95f0001ac6482625cd098060e0aa0db470d10
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d8d2e4ce-c5a9-4c13-84e5-8b250e5b2c6a/
SH256 hash:
3ab71c0f1e801c1e50d7f3946d61f5fe397651a909d0108ab477f44a3eea4a63
MD5 hash:
efa8dbb2da08b4eff7e32dda9f13f82a
SHA1 hash:
3aedcfeed719554424c28ba23950c39466d11b1a
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d8d2e4ce-c5a9-4c13-84e5-8b250e5b2c6a/
SH256 hash:
de4ee5d72bff898825d7ecbc68850fe7fae935acc7d6d486affc7c41790ced56
MD5 hash:
260d0a6f553a28442b1a715250deb777
SHA1 hash:
32cd4761cef81391607bdb95958bba1476c44917
Detections:
XWorm
Create hunting rule
win_xworm_w0
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
win_xworm_bytestring
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/d8d2e4ce-c5a9-4c13-84e5-8b250e5b2c6a/
Parent samples :
de4ee5d72bff898825d7ecbc68850fe7fae935acc7d6d486affc7c41790ced56
295a1fe5ff733dde577267491fa637a43dfb21930c60e996121eeec21d98d528
SH256 hash:
295a1fe5ff733dde577267491fa637a43dfb21930c60e996121eeec21d98d528
MD5 hash:
066ea1397f09fed558600e6c4bc7c1e4
SHA1 hash:
059f84529641a772f564f0afa890fd4260ec3a06
Link:
https://www.unpac.me/results/d8d2e4ce-c5a9-4c13-84e5-8b250e5b2c6a/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/295a1fe5ff73/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Executable exe 295a1fe5ff733dde577267491fa637a43dfb21930c60e996121eeec21d98d528

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments