MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c3ea6435a9e0047e3e62a972b0ecf35046202af3010def9acba459dc85eb520. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 16


Intelligence 16 IOCs 2 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c3ea6435a9e0047e3e62a972b0ecf35046202af3010def9acba459dc85eb520
SHA3-384 hash: e1f5f0fb89d946e779944486b7d2ef73868c4cb6e520bf6b32d96332ca95598c1a4f262bd21fa4b9bc37486e6ccbbe10
SHA1 hash: a1c1e8e53345e8100866f2619950d748c80d1475
MD5 hash: 92a9ffd1ff4950783187bd7af8bf5ac1
humanhash: lactose-island-social-sodium
File name:Transaction Receipt.bat.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:1'636'352 bytes
First seen:2025-07-29 15:06:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:9XbqcfWM7G6gYeoVGjEt797MWTDKrSU20Ytfg7C1uD9Pv1iIohRC:RpG6gvEG4NvDD0YtffuD1Ni
Threatray 52 similar samples on MalwareBazaar
TLSH T1A375121D3B7A9C11C24D5F32C513802942A7CC67EAB7F31B19C92EE62E297DAC45F990
TrID 56.5% (.EXE) Win64 Executable (generic) (10522/11/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
45.93.8.18:7493

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.93.8.18:7493 https://threatfox.abuse.ch/ioc/1562052/
45.93.8.18:9475 https://threatfox.abuse.ch/ioc/1562055/

Intelligence

File Origin
# of uploads :
1
# of downloads :
42
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Transaction Receipt.bat.exe
Verdict:
Malicious activity
Analysis date:
2025-07-29 15:36:25 UTC
Tags:
evasion remote xworm crypto-regex
Link:
https://app.any.run/tasks/023d8d5f-cfe1-4537-a7dc-24c13fc8e173

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/17597/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6888e3b70b4775fb21330c10
Tags:
asyncrat stration shell remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Sending a custom TCP request
Creating a process with a hidden window
Connection attempt
Setting a keyboard event handler
DNS request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/2c3ea6435a9e0047e3e62a972b0ecf35046202af3010def9acba459dc85eb520
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a06fe45f-932e-4342-9a9b-600e3d990c23
Result
Threat name:
Quasar, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1746406
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Yara detected Quasar RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1746406 Sample: Transaction Receipt.bat.exe Startdate: 29/07/2025 Architecture: WINDOWS Score: 100 52 ipwho.is 2->52 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 12 other signatures 2->66 9 Transaction Receipt.bat.exe 7 2->9         started        12 svchost.exe 2->12         started        signatures3 process4 dnsIp5 44 C:\Users\user\AppData\Roaming\XClient.exe, PE32 9->44 dropped 46 C:\Users\user\...\RainbowDashClient.exe, PE32 9->46 dropped 48 C:\Users\user\AppData\...\Client-built.exe, PE32 9->48 dropped 50 C:\Users\...\Transaction Receipt.bat.exe.log, ASCII 9->50 dropped 15 XClient.exe 3 9->15         started        18 RainbowDashClient.exe 3 9->18         started        20 Client-built.exe 14 2 9->20         started        58 127.0.0.1 unknown unknown 12->58 file6 process7 dnsIp8 70 Antivirus detection for dropped file 15->70 72 Multi AV Scanner detection for dropped file 15->72 74 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->74 23 powershell.exe 15->23         started        26 powershell.exe 15->26         started        28 WerFault.exe 15->28         started        76 Bypasses PowerShell execution policy 18->76 78 Adds a directory exclusion to Windows Defender 18->78 30 powershell.exe 23 18->30         started        32 powershell.exe 18->32         started        34 WerFault.exe 18->34         started        54 45.93.8.18, 4475, 49681, 49688 VMAGE-ASRU Russian Federation 20->54 56 ipwho.is 15.204.213.5, 443, 49683 HP-INTERNET-ASUS United States 20->56 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->80 82 Installs a global keyboard hook 20->82 signatures9 process10 signatures11 36 conhost.exe 23->36         started        38 conhost.exe 26->38         started        68 Loading BitLocker PowerShell Module 30->68 40 conhost.exe 30->40         started        42 conhost.exe 32->42         started        process12
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2c3ea6435a9e0047e3e62a972b0ecf35046202af3010def9acba459dc85eb520
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable PE (Portable Executable) SOS: 0.31 Win 64 Exe x64
Link:
https://app.malva.re/file/92a9ffd1ff4950783187bd7af8bf5ac1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c3ea6435a9e0047e3e62a972b0ecf35046202af3010def9acba459dc85eb520/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2025-07-29 15:07:40 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fq7kmq22tyaepy7gfklswdwpgucgeavpgain56nmxjcz3sc6wuqa._file
Verdict:
malicious
Label(s):
d&dloader
Create hunting rule
quasarrat
Create hunting rule
unc_loader_037
Create hunting rule
xworm
Create hunting rule
Similar samples:
0b484408c0a7a0d36bd2a1eaebd3030c98c88d786e92eb16b918b3a8b5c8bc9d
XWorm
2c3ea6435a9e0047e3e62a972b0ecf35046202af3010def9acba459dc85eb520
XWorm
368989934389f9101ee031231304d2544a5bd55ae3626bdba993451715558d7e
XWorm
50cb6b8d0f572cd355d682a3f3529854b98cc75e141e452c98bec0279ef1ace2
XWorm
818ef3d013069a7bacd3bf4d4a728ace9ea74ab518fb4adffcc0a23f57e4b585
XWorm
e22d400f19b72f31d712cf2f133813bf9f8b210ff4104f6440027e2aea8f28e6
XWorm
error
XWorm
+ 42 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion execution rat spyware trojan
Link:
https://tria.ge/reports/250729-sg7hgayqt4/
Behaviour
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
45.93.8.18:9475
45.93.8.18:7493
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2a524410-43f0-443f-b1a4-873c1139b435
Unpacked files
SH256 hash:
2c3ea6435a9e0047e3e62a972b0ecf35046202af3010def9acba459dc85eb520
MD5 hash:
92a9ffd1ff4950783187bd7af8bf5ac1
SHA1 hash:
a1c1e8e53345e8100866f2619950d748c80d1475
Link:
https://www.unpac.me/results/771f9406-3437-477b-89f6-9648a1ee46e4/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2c3ea6435a9e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.99
Link:
https://yomi.yoroi.company/submissions/2c3ea6435a9e0047e3e62a972b0ecf35046202af3010def9acba459dc85eb520

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/17597/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments