MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32d826c1a59469515c34e02a2bda606fc3465eb064ece53686bd6572bcdbb650. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32d826c1a59469515c34e02a2bda606fc3465eb064ece53686bd6572bcdbb650
SHA3-384 hash: 650512b80d90899131761562fb721e76c962c3e8ba1cc351d2f292dc01002acb0d54247d263f4feb0e7508e9a8bd3353
SHA1 hash: 1c9d97195c584788471a14098bb3d1babb43cd53
MD5 hash: c511716941280a19fac1bfd6b2a72626
humanhash: alpha-helium-december-pasta
File name:Winrar64Unlocked.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:7'388'672 bytes
First seen:2025-10-02 05:35:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'854 x AgentTesla, 19'783 x Formbook, 12'304 x SnakeKeylogger)
ssdeep 98304:Ju21Ago+UOiU4WZJtcKS4NTQ/IbA99Vy2Zp/iQPBz9RYrpomG1PAVp7Sed2kCM2:JhZfcKS4FOIbA93y2vZz6zGUSMCM
TLSH T13D76337F576CE3857550EC3713C7C966CFA0AADC662F205248A041929E46EDE2EEF0C6
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
5.175.234.65:7000

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.175.234.65:7000 https://threatfox.abuse.ch/ioc/1605424/

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
32d826c1a59469515c34e02a2bda606fc3465eb064ece53686bd6572bcdbb650.exe
Verdict:
Malicious activity
Analysis date:
2025-10-02 05:30:35 UTC
Tags:
auto-startup auto-reg amsi-bypass auto-download
Link:
https://app.any.run/tasks/0b377581-42b4-4261-bc5b-df5e2b393e9f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29872/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68de0dfbb54520161ad44ddc
Tags:
autorun micro sage remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Launching a process
Creating a process with a hidden window
Creating a window
Enabling the 'hidden' option for recently created files
Connection attempt
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Searching for synchronization primitives
DNS request
Launching a service
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
asyncrat nanocore packed unsafe vbnet xworm zilla
Link:
https://www.filescan.io/uploads/68de0f34674d5fd6aa134478/reports/d87e036a-1dd0-48b2-9988-c3e932b87895/overview
Verdict:
Malicious
Labled as:
MSIL.Cassiopeia.Generic
Link:
https://www.hybrid-analysis.com/sample/32d826c1a59469515c34e02a2bda606fc3465eb064ece53686bd6572bcdbb650
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-02T02:36:00Z UTC
Last seen:
2025-10-02T15:21:00Z UTC
Hits:
~10
Detections:
Trojan.WinLNK.Agent.fb HEUR:Trojan-Ransom.MSIL.Blocker.gen HEUR:Trojan-PSW.MSIL.Rhadamanthys.gen HEUR:Trojan-Dropper.MSIL.Dapato.gen HEUR:Trojan.Win32.Generic PDM:Trojan.Win32.Generic Backdoor.Agent.TCP.C&C Trojan.Win32.Agent.sb Trojan.MSIL.Crypt.sb Trojan.MSIL.Agent.sb HEUR:Trojan-Spy.WinLNK.Xegumumune.gen PDM:Worm.Win32.Generic VHO:Trojan-Dropper.Win32.Convagent.gen Trojan-Dropper.Win32.Agent.sb HEUR:Trojan.MSIL.Agentc.gen Trojan.MSIL.Miner.sb Trojan.MSIL.DOTHETUK.sb Trojan-Banker.MSIL.ClipBanker.sb
Link:
https://opentip.kaspersky.com/32d826c1a59469515c34e02a2bda606fc3465eb064ece53686bd6572bcdbb650/results?tab=lookup
Malware family:
ModernLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6f63512e-be5e-4cdb-9a73-bddd3b4748b8
Result
Threat name:
VioletWorm, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1787850
Signature
.NET source code contains potential unpacker
.NET source code contains suspicious base64 encoded strings
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Drops PE files to the startup folder
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected VioletWorm
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1787850 Sample: Winrar64Unlocked.exe Startdate: 02/10/2025 Architecture: WINDOWS Score: 100 67 Suricata IDS alerts for network traffic 2->67 69 Found malware configuration 2->69 71 Antivirus detection for dropped file 2->71 73 11 other signatures 2->73 8 Winrar64Unlocked.exe 7 2->8         started        11 VioletClient.exe 2->11         started        13 VioletClient3335.exe 2->13         started        15 12 other processes 2->15 process3 file4 57 C:\Users\user\AppData\Local\Winrar64.exe, PE32 8->57 dropped 59 C:\Users\...\VioletClient3335_protected.exe, PE32 8->59 dropped 61 C:\Users\user\...\VioletClient3335.exe, PE32 8->61 dropped 63 3 other malicious files 8->63 dropped 17 VioletClient.exe 1 7 8->17         started        22 Winrar64.exe 3 8->22         started        24 VioletClient3335.exe 1 7 8->24         started        26 4 other processes 8->26 process5 dnsIp6 65 5.175.234.65, 49723, 49724, 7000 ASGHOSTNETDE Germany 17->65 41 C:\Users\user\AppData\...\VioletClient.exe, PE32 17->41 dropped 43 C:\Users\user\AppData\...\VioletClient.exe, PE32 17->43 dropped 75 Antivirus detection for dropped file 17->75 77 Creates multiple autostart registry keys 17->77 79 Drops PE files to the startup folder 17->79 81 Uses schtasks.exe or at.exe to add and modify task schedules 17->81 28 schtasks.exe 17->28         started        45 C:\Users\...\VioletClient3335_protected.exe, PE32 22->45 dropped 83 Multi AV Scanner detection for dropped file 22->83 30 VioletClient3335_protected.exe 22->30         started        47 C:\Users\user\...\VioletClient3335.exe, PE32 24->47 dropped 49 C:\Users\user\...\VioletClient3335.exe, PE32 24->49 dropped 33 schtasks.exe 24->33         started        51 C:\Users\user\...\Snapchat Installer.exe, PE32 26->51 dropped 53 C:\...\VioletClient3335_protected.exe.log, CSV 26->53 dropped 55 C:\Users\...\Outputunkmwn_protected.exe.log, CSV 26->55 dropped 85 Binary or sample is protected by dotNetProtector 26->85 35 Snapchat Installer.exe 26->35         started        file7 signatures8 process9 signatures10 37 conhost.exe 28->37         started        87 Antivirus detection for dropped file 30->87 89 Multi AV Scanner detection for dropped file 30->89 39 conhost.exe 33->39         started        process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/32d826c1a59469515c34e02a2bda606fc3465eb064ece53686bd6572bcdbb650
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32d826c1a59469515c34e02a2bda606fc3465eb064ece53686bd6572bcdbb650/
Verdict:
Malicious
Threat:
Trojan-Dropper.MSIL.Dapato
Link:
https://tip.neiki.dev/file/32d826c1a59469515c34e02a2bda606fc3465eb064ece53686bd6572bcdbb650
Threat name:
ByteCode-MSIL.Trojan.Cassiopeia
Create hunting rule
Status:
Malicious
First seen:
2025-10-02 05:30:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
34 of 38 (89.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=glmcnqnfsruvcxbu4avcxwtan7bumxvqmtwoknugxvsxfpg3wzia._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/251002-gaey4aspw8/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Verdict:
Malicious
Tags:
Win.Dropper.Nanocore-10039742-0
YARA:
n/a
Link:
https://app.threat.zone/submission/1d1cc28b-5aba-499f-a9f7-5a80341a5854
Unpacked files
SH256 hash:
32d826c1a59469515c34e02a2bda606fc3465eb064ece53686bd6572bcdbb650
MD5 hash:
c511716941280a19fac1bfd6b2a72626
SHA1 hash:
1c9d97195c584788471a14098bb3d1babb43cd53
Link:
https://www.unpac.me/results/43a15a8d-ed01-4e84-8628-680636bedde2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32d826c1a59469515c34e02a2bda606fc3465eb064ece53686bd6572bcdbb650

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe 32d826c1a59469515c34e02a2bda606fc3465eb064ece53686bd6572bcdbb650

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/29872/
  
URLhaus
https://urlhaus.abuse.ch/url/3639102/
  
Delivery method
Distributed via web download

Comments