MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 297304093913381095220c0fc22bc6a4c64f4ed2f05a8bc0d71453fa6b7860e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	297304093913381095220c0fc22bc6a4c64f4ed2f05a8bc0d71453fa6b7860e5
SHA3-384 hash:	25d8aca81c431b02cfd84d7f6b02a5142d6022641e7890e62d57294219178c3ab8c2b3693630afc8502208cc72a3d2ab
SHA1 hash:	856e6f634ae15e27550cbfb1210a313174a2deff
MD5 hash:	0d84b857213666d2946cd162f32d28d0
humanhash:	golf-enemy-white-yankee
File name:	AxoCheat.exe
Download:	download sample
File size:	10'752 bytes
First seen:	2025-03-26 17:43:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	192:d950dmo9JSL75DuLzozbBLVbL/LaTSK0euttj+exz:d950dmo9JSL4LEzbvbL/LiSjeu7j+ex
Threatray	1'706 similar samples on MalwareBazaar
TLSH	T12C222B06A7ECC737CE7F0F394DE3A3800A71E6166C12EA5E2DDC64096D133900622BDA
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	BastianHein
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

436

Origin country :

Vendor Threat Intelligence

Malware family:

dcrat

ID:

File name:

AxoCheat.exe

Verdict:

Malicious activity

Analysis date:

2025-03-26 13:10:31 UTC

Tags:

github evasion dcrat rat stealer xworm remote darkcrystal loader

Link:

https://app.any.run/tasks/f43969dd-c842-4a9d-a9fd-d1b34a4194ba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.DropperX-gen.22989.13989.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67e3fcc612b5dc44da3e3962

Tags:

infosteal asyncrat phishing

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Creating a file in the %temp% directory

Creating a window

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

obfuscated

Link:

https://www.filescan.io/uploads/67e43cb7f274bf2d8e23c243/reports/63e2e0b8-1c51-42b4-9f04-34ade4b38f1f/overview

Verdict:

Malicious

Labled as:

VHO_Trojan_MSIL_Convagent_gen

Link:

https://www.hybrid-analysis.com/sample/297304093913381095220c0fc22bc6a4c64f4ed2f05a8bc0d71453fa6b7860e5

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c6f8d415-f116-4502-8f72-b78e958c574c

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1649401

Signature

Antivirus detection for dropped file

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Behaviour

Behavior Graph:

Download SVG

Score:

76%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/297304093913381095220c0fc22bc6a4c64f4ed2f05a8bc0d71453fa6b7860e5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/297304093913381095220c0fc22bc6a4c64f4ed2f05a8bc0d71453fa6b7860e5/

Threat name:

Win32.Backdoor.Xworm

Status:

Suspicious

First seen:

2025-03-25 21:14:39 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

8 of 24 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ffzqicjzcm4bbfjcbqh4ek6gutde6tws6bnixqgxcrj7u23ymdsq._file

Verdict:

malicious

Label(s):

stormkitty

xworm

zerotracestealer

6a4c87064969595078355dae42918fc19c3b71f422d6b5af9cee50a2af2d7b88

7cd58601d62de54c16bf279d2eb477a0e5b85f62cbe387268c1bec578db2a1e3

92df7ed4566008f0d59d658cf64bda9715f7edc1bd37bb2cb2427d07f54ca7c3

error

f32897f93635e74613addb2b378037cec558d759101c8b49079cbccf262e2c86

+ 1'696 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery

Link:

https://tria.ge/reports/250326-wan94azvcx/

Behaviour

Suspicious use of AdjustPrivilegeToken

System Location Discovery: System Language Discovery

Legitimate hosting services abused for malware hosting/C2

Downloads MZ/PE file

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/8c4812c7-2d08-48ea-9031-4441b0d16adf

Unpacked files

SH256 hash:

297304093913381095220c0fc22bc6a4c64f4ed2f05a8bc0d71453fa6b7860e5

MD5 hash:

0d84b857213666d2946cd162f32d28d0

SHA1 hash:

856e6f634ae15e27550cbfb1210a313174a2deff

Link:

https://www.unpac.me/results/05eb1f83-0c61-4587-8650-3ab7e9b4704a/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/297304093913/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/297304093913381095220c0fc22bc6a4c64f4ed2f05a8bc0d71453fa6b7860e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample