MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32a333bb3c7ae28e1b197f94a4b16cc6f708b84e165ae55c3a109b57a3ed11c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32a333bb3c7ae28e1b197f94a4b16cc6f708b84e165ae55c3a109b57a3ed11c6
SHA3-384 hash: 76f6aac05c651efb4b7de5243363a3e84321257eb20992ab9c84f8f3e7849813e81c931524f7b201f62ad2cff4cf74e2
SHA1 hash: ffd5936fd106f37509e92bd2f0b8b7cd79252772
MD5 hash: 4ab6e6b7f12cdc6be0aac6c4c867734a
humanhash: diet-green-yankee-magazine
File name:Steamify Cracked.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:843'776 bytes
First seen:2024-06-14 13:42:30 UTC
Last seen:2024-06-14 14:27:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (33 x CoinMiner, 17 x AsyncRAT, 15 x BlankGrabber)
ssdeep 12288:35PD0rEQ+UVw+nl/7teXfzAZ5tM5ps3CHTyvRD6itpwC9qYNOePAJuQqJSP2ZczB:3570gQ+sRl/Rm8mp9zil4BP2Zc
TLSH T1C805270976AFDB5FF098B4E173DA026510B480630AB7498E2BAF4E74852F5E90FDD742
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter Chainskilabs
Tags:exe xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
353
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Steamify Cracked.exe
Verdict:
Malicious activity
Analysis date:
2024-06-14 13:40:11 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/06d61a67-e37b-4ae7-9401-d01db61a35e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.25747.7932.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=666c4d8a0f85a8479dc6ccfbwin7simulatehigh_evasion
Tags:
Banker Encryption Execution Network Stealth Zpack Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% directory
Launching a process
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/666c48eeeae3878d8f39a2d7/reports/407eb025-2ca7-4391-bfed-b4b637df0a57/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/32a333bb3c7ae28e1b197f94a4b16cc6f708b84e165ae55c3a109b57a3ed11c6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/00095bde-961c-4ca7-ac3d-ba4857777c25
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1457313
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/32a333bb3c7ae28e1b197f94a4b16cc6f708b84e165ae55c3a109b57a3ed11c6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32a333bb3c7ae28e1b197f94a4b16cc6f708b84e165ae55c3a109b57a3ed11c6/
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2024-06-14 13:43:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gkrthoz4plri4gyzp6kkjmlmy33qrococznokxb2ccnvpi7nchda._file
Verdict:
malicious
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution persistence rat trojan
Link:
https://tria.ge/reports/240614-qz8r5swhkn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
inn-ht.gl.at.ply.gg:60031
Unpacked files
SH256 hash:
e9dad4f37bdc3e80130637b3b5de29bf78e376cb8b8894a27ab4b727d60dff5b
MD5 hash:
3d0f60a06bfead1b3ce9847dbd9ce7e7
SHA1 hash:
e79eff9033d46736a876ab3379038a592d8e210f
Detections:
XWorm
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/fe4119e7-4066-43e1-8d07-9ff7e441e8c8/
SH256 hash:
747a6d8099aa37ebb5a01695a03eec3bcdfc3e80e8d3474a604110dfce75ed3a
MD5 hash:
43d1c8246c9405244116d6ff630b1656
SHA1 hash:
3d64e6e434d45b015976cf7c92dda8c071ac4bf2
Link:
https://www.unpac.me/results/fe4119e7-4066-43e1-8d07-9ff7e441e8c8/
SH256 hash:
32a333bb3c7ae28e1b197f94a4b16cc6f708b84e165ae55c3a109b57a3ed11c6
MD5 hash:
4ab6e6b7f12cdc6be0aac6c4c867734a
SHA1 hash:
ffd5936fd106f37509e92bd2f0b8b7cd79252772
Link:
https://www.unpac.me/results/fe4119e7-4066-43e1-8d07-9ff7e441e8c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
XWorm
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32a333bb3c7ae28e1b197f94a4b16cc6f708b84e165ae55c3a109b57a3ed11c6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA

Comments