MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c24d359f441614a46f56ce5c94a361cdfd03cd1bf91a99b1183675d6bf362a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c24d359f441614a46f56ce5c94a361cdfd03cd1bf91a99b1183675d6bf362a9
SHA3-384 hash: ed1f27e6f9994203eed5f524a4cb8521377a202ba29f8e5baaba3e5514fb640f7e7b8b8c4cae0a7a6bd3e8c16a94963e
SHA1 hash: 55e6c2f9a9325b79938bafa82ef5b76f030a912b
MD5 hash: 1877b7bcc1bc998e1d4e53a55cb1cd4c
humanhash: burger-moon-zebra-xray
File name:1877b7bcc1bc998e1d4e53a55cb1cd4c.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:40'960 bytes
First seen:2022-11-12 07:59:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 384:0/z/7roZ+lv83FLWnCqbmnaQDcag7zuPgg7Kx493yBtrLaWGPjxLCPOnsSZwHBWx:g/7roZ+v81mvx7zgJKd3yWWtRF3
Threatray 39 similar samples on MalwareBazaar
TLSH T1570309CDB7D51220D5BF66B15563D289C3F097632B37DB1E98C8219A2B9BE804086DF3
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13097/50/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1877b7bcc1bc998e1d4e53a55cb1cd4c.exe
Verdict:
Suspicious activity
Analysis date:
2022-11-12 08:02:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5602c704-98bb-45b9-a1b0-5d5406fad963

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/332830/
Detection(s):
Win.Infostealer.XWorm-9941708-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm cmd.exe greyware packed
Link:
https://www.filescan.io/uploads/636f529082dd9f2e2653c230/reports/07bb80f5-c067-4ccb-b478-99a257a26307/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7e880b18-c2ae-4f23-a5f0-63c23c01a12b
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1111768
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c24d359f441614a46f56ce5c94a361cdfd03cd1bf91a99b1183675d6bf362a9/
Threat name:
ByteCode-MSIL.Trojan.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2022-10-23 09:20:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fqsngwpuifquurxvnts4ssrwdtp5apgrx6i2tgyrqntv227tmkuq._file
Verdict:
malicious
Similar samples:
096e33b9b0b4f843a7ea0259f75b4370f00ab90f3807eb89d5f0117da762900d
XWorm
0cff2bf05a9fe4f1c1953d1c1be3642fe955775a84ea109464fccb4ffb5bba09
XWorm
5dd7d23ab5fe608da7a2bbb6e63dea48503d191a98a6dfe2427af7ba01d175b8
XWorm
7fc6a365af13150e7b1738129832ebd91f1010705b0ab0955a295e2c7d88be62
XWorm
8cfefc291d9088ef0b3ab7dd59d8ff672e73d333c8d18bd1dff4c7695ae8af83
XWorm
9d8507a5ce83a0584aaa7c349a1f04e54b0c0d15433c0e54c2c1b74078cd3b2c
XWorm
afc1d8fda05e0a3970030ceaf91c79926441bc1549de9841e43ce36947c6f59a
XWorm
b88cc87476c96511d4da70732e1928471f9d48d25b2c7cc573ad2b2cdf19d3b0
XWorm
d13d39da36d9a911d5510a062c3a5eaf3a7645672515e139f90f74641f04d636
XWorm
de31429e630dc376d96d2f144962593cdda95e25cf4bad28ab2e5fa7c4fea655
XWorm
+ 29 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221112-jvzkcaed32/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/34a6c745-22cb-4302-81ea-e8af7b6b2c1a
Unpacked files
SH256 hash:
2c24d359f441614a46f56ce5c94a361cdfd03cd1bf91a99b1183675d6bf362a9
MD5 hash:
1877b7bcc1bc998e1d4e53a55cb1cd4c
SHA1 hash:
55e6c2f9a9325b79938bafa82ef5b76f030a912b
Link:
https://www.unpac.me/results/8ea1c589-8fa2-4d02-9fc5-c7b3ed7b097c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/2c24d359f441614a46f56ce5c94a361cdfd03cd1bf91a99b1183675d6bf362a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/332830/

Comments