MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3222c841b9001d821d2078f11ac014e96efaa1b4556a9205fafa682ee6505a8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 17

Intelligence 17 IOCs 1 YARA 6 File information Comments

SHA256 hash:	3222c841b9001d821d2078f11ac014e96efaa1b4556a9205fafa682ee6505a8b
SHA3-384 hash:	3f34c535ab52fc1f7136e5f3067e40fccd8ed43451bcef9521550dd9cbd14dffde3ef6c96e939053180929fc73d238be
SHA1 hash:	797946c47411fd25c5f638dbb9137b27ea4202b7
MD5 hash:	92316da3d1040324b191f7ac05cb1f1b
humanhash:	salami-moon-cold-carolina
File name:	Suppliers Specification sheetsPdf.exe
Download:	download sample
Signature	XWorm Create hunting rule
File size:	1'608'704 bytes
First seen:	2025-09-09 13:35:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	340c77a90c5444eb24ebb8c5ef52a71e (1 x RemcosRAT, 1 x XWorm, 1 x DBatLoader)
ssdeep	24576:Ink+8hNp2AUJxKeK9ntPNn19Fl2S+nkszAcdaS+nkszAcdt8E:IGh2gxzPL+bAc+bA
Threatray	69 similar samples on MalwareBazaar
TLSH	T1E175E0D362D18A33C156253C5C0FE7993CDABA601F24396676ED7E0C8F29B41BC652A3
TrID	58.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 14.7% (.EXE) Win64 Executable (generic) (10522/11/4) 9.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	abuse_ch
Tags:	exe xworm

abuse_ch

XWorm C2:
192.227.246.80:2020

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
192.227.246.80:2020	https://threatfox.abuse.ch/ioc/1585149/

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SuppliersSpecificationsheetsPdf.exe

Verdict:

Malicious activity

Analysis date:

2025-09-09 13:39:36 UTC

Tags:

delphi dbatloader loader auto-sch xworm

Link:

https://app.any.run/tasks/32715320-ab97-4824-96bc-f562ff8dcae5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/26499/

Detection(s):

Win.Trojan.Modiloader-10042434-0

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68c02d3a6e66ba602d796a4b

Tags:

delphi emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file

Running batch commands

Creating a process with a hidden window

Launching a process

Sending a custom TCP request

Connection attempt

Using the Windows Management Instrumentation requests

Moving of the original file

Unauthorized injection to a system process

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context borland_delphi fingerprint keylogger obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/68c02d35a7b97e046b93667d/reports/bc4d7646-3340-4913-b7b4-837a472873b3/overview

Verdict:

Malicious

Labled as:

TrojanDownloader/ModiLoader.a

Link:

https://www.hybrid-analysis.com/sample/3222c841b9001d821d2078f11ac014e96efaa1b4556a9205fafa682ee6505a8b

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-09T11:04:00Z UTC

Last seen:

2025-09-09T11:04:00Z UTC

Hits:

~100

Detections:

PDM:Trojan.Win32.Generic Backdoor.Agent.TCP.C&C Trojan.Win64.Zenpak.sb Trojan.Win32.Shellcode.sb HEUR:Trojan-PSW.Win32.DarkCloud.gen

Link:

https://opentip.kaspersky.com/3222c841b9001d821d2078f11ac014e96efaa1b4556a9205fafa682ee6505a8b/results?tab=lookup

Malware family:

ModiLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/618cfab4-c3dd-40df-a05a-f4c733c15ce9

Result

Threat name:

DBatLoader, XWorm

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1773985

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates many large memory junks

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to capture screen (.Net source)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Early bird code injection technique detected

Found malware configuration

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queues an APC in another process (thread injection)

Sample uses string decryption to hide its real strings

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Suspicious Creation with Colorcpl

Suricata IDS alerts for network traffic

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected DBatLoader

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3222c841b9001d821d2078f11ac014e96efaa1b4556a9205fafa682ee6505a8b

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/92316da3d1040324b191f7ac05cb1f1b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3222c841b9001d821d2078f11ac014e96efaa1b4556a9205fafa682ee6505a8b/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/3222c841b9001d821d2078f11ac014e96efaa1b4556a9205fafa682ee6505a8b

Threat name:

Win32.Trojan.DBatLoader

Status:

Malicious

First seen:

2025-09-09 13:38:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

30 of 38 (78.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=girmqqnzaaoyehjapdyrvqau5fxpvinukvvjebp27juc5zsqlkfq._file

Verdict:

malicious

Label(s):

dbatloader

XWorm

15aab891c6b901c7912b8de3fc9ad5f28cfb3b7c48460eafcf5c3a91fcf73553

XWorm

3222c841b9001d821d2078f11ac014e96efaa1b4556a9205fafa682ee6505a8b

XWorm

5ee4fc645fa88cd85eddc57b9fc28733a891d0bb84a648a560264b983b9c5488

XWorm

7f46e341e906e3c3b4b9ce3748f426f27fd808d904a1fe2a0706c690e0613132

XWorm

d08ec534d78a35e0d8903e14306d595613a604a4d31f22c8167aa6316d0f3855

XWorm

error

XWorm

+ 59 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:modiloader family:xworm collection discovery execution persistence rat trojan

Link:

https://tria.ge/reports/250909-qwd4csslx9/

Behaviour

Runs ping.exe

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Accesses Microsoft Outlook profiles

Executes dropped EXE

Loads dropped DLL

ModiLoader Second Stage

Detect Xworm Payload

ModiLoader, DBatLoader

Modiloader family

Xworm

Xworm family

Malware Config

C2 Extraction:

192.227.246.80:2020

Verdict:

Malicious

Tags:

Win.Trojan.Modiloader-10042434-0

YARA:

n/a

Link:

https://app.threat.zone/submission/ed0cd13f-3fda-49a4-acdc-8fdbe668e201

Unpacked files

SH256 hash:

3222c841b9001d821d2078f11ac014e96efaa1b4556a9205fafa682ee6505a8b

MD5 hash:

92316da3d1040324b191f7ac05cb1f1b

SHA1 hash:

797946c47411fd25c5f638dbb9137b27ea4202b7

Link:

https://www.unpac.me/results/ebf24c85-a1cf-495c-8481-b9ed587b41ab/

Malware family:

DonutLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3222c841b900/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/26499/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample