MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33033f739d757918a5a69c6d0d47fceb724128dd2fa0f2bb76d6a307f283d26f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33033f739d757918a5a69c6d0d47fceb724128dd2fa0f2bb76d6a307f283d26f
SHA3-384 hash: 19e04d725b0d743b3b0aea975279cae28d7c392deae2cb4b37e6301348e7527f12672777b7f7a856abb2b1b7af1a634e
SHA1 hash: d473a9b6550b5dba82dd6eccde10df1d9ef2ebb8
MD5 hash: 7cb234996fa7d52587a676bbb74d36fc
humanhash: william-pip-ack-six
File name:7cb234996fa7d52587a676bbb74d36fc.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:1'102'848 bytes
First seen:2025-07-07 13:32:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 655b5ffd004e9ca1cb767feab6e0bdb8 (4 x LummaStealer, 3 x Vidar, 2 x XWorm)
ssdeep 24576:bkywYQ/WgJapte3/P9ZHd9PA/Yd1HNTomnK6knLu3q4a/DKsx4DLu3q4a/DKsx4:qme3/FZHXPAs1BO6uu39S+sx43u39S+F
TLSH T14B35AE388752A2D6FE5B0AF6045171A6B432B62681386FFF9790D3376E037C41F69398
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
26
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
rl_9cfe8a34e954671eeafb9da5ce51699cbbd1f6adb05b35ffc60c65cf04730ef2
Verdict:
Malicious activity
Analysis date:
2025-07-06 17:18:04 UTC
Tags:
amadey botnet stealer loader auto-reg lumma arch-exec rdp screenconnect rmm-tool telegram vidar smokeloader stealc github autoit auto-startup evasion gcleaner
Link:
https://app.any.run/tasks/b76663cd-84dd-43af-b773-bbf9a91e0f11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12681/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686bcca8c9eb974737676466
Tags:
virus zusy
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context fingerprint microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/686bccaa61f15fb42a334aa1/reports/2f41c28c-3ce1-4809-8e47-0592d7ff081f/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/33033f739d757918a5a69c6d0d47fceb724128dd2fa0f2bb76d6a307f283d26f
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ca4d17b1-f0ef-4b09-8665-385a464a9d16
Result
Threat name:
AsyncRAT, LummaC Stealer, Njrat, Quasar,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1730119
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Compiles code for process injection (via .Net compiler)
Connects to many ports of the same IP (likely port scanning)
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to detect sleep reduction / modifications
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Drops executable to a common third party application directory
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Locky time evasion found (measures execution of CloseHandle and GetProcessHeap)
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected LummaC Stealer
Yara detected Njrat
Yara detected Quasar RAT
Yara detected Vidar stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1730119 Sample: zTG4VOUZHc.exe Startdate: 07/07/2025 Architecture: WINDOWS Score: 100 115 liaxn.xyz 2->115 117 itsrevolutionmagnus.xyz 2->117 119 12 other IPs or domains 2->119 167 Suricata IDS alerts for network traffic 2->167 169 Found malware configuration 2->169 171 Malicious sample detected (through community Yara rule) 2->171 175 24 other signatures 2->175 11 zTG4VOUZHc.exe 2->11         started        14 msedge.exe 2->14         started        17 svchost.exe 2->17         started        signatures3 173 Performs DNS queries to domains with low reputation 117->173 process4 dnsIp5 201 Writes to foreign memory regions 11->201 203 Allocates memory in foreign processes 11->203 205 Injects a PE file into a foreign processes 11->205 19 MSBuild.exe 44 11->19         started        24 MSBuild.exe 11->24         started        137 239.255.255.250 unknown Reserved 14->137 26 msedge.exe 14->26         started        28 msedge.exe 14->28         started        30 msedge.exe 14->30         started        139 127.0.0.1 unknown unknown 17->139 signatures6 process7 dnsIp8 121 t.me 149.154.167.99, 443, 49692 TELEGRAMRU United Kingdom 19->121 123 17.5.exifit.ir 91.99.174.2, 443, 49693, 49694 PARSONLINETehran-IRANIR Iran (ISLAMIC Republic Of) 19->123 129 3 other IPs or domains 19->129 85 C:\Users\user\AppData\Local\...\q53212[1].exe, PE32 19->85 dropped 87 C:\Users\user\AppData\Local\...\n84991[1].exe, PE32 19->87 dropped 89 C:\Users\user\AppData\Local\...\x85899[1].exe, PE32 19->89 dropped 93 7 other malicious files 19->93 dropped 177 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->177 179 Found many strings related to Crypto-Wallets (likely being stolen) 19->179 181 Encrypted powershell cmdline option found 19->181 191 4 other signatures 19->191 32 3ectjek689.exe 19->32         started        36 9r1ngvkngv.exe 19->36         started        39 vk6xlx4o8y.exe 19->39         started        41 9 other processes 19->41 183 Attempt to bypass Chrome Application-Bound Encryption 24->183 185 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->185 187 Searches for specific processes (likely to inject) 24->187 189 Contains functionality to detect sleep reduction / modifications 24->189 125 r.msftstatic.com 26->125 127 ntp.msn.com 26->127 131 32 other IPs or domains 26->131 91 C:\Users\user\AppData\Local\...\Cookies, SQLite 26->91 dropped file9 signatures10 process11 dnsIp12 77 C:\Users\user\AppData\Local\...\XIZUMX.exe, PE32 32->77 dropped 141 Multi AV Scanner detection for dropped file 32->141 143 Locky time evasion found (measures execution of CloseHandle and GetProcessHeap) 32->143 145 Contains functionality to detect virtual machines (IN, VMware) 32->145 161 4 other signatures 32->161 43 XIZUMX.exe 32->43         started        133 ip-api.com 208.95.112.1, 49819, 80 TUT-ASUS United States 36->133 79 C:\Users\user\AppData\Local\...\Firefox.exe, PE32 36->79 dropped 147 Antivirus detection for dropped file 36->147 149 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->149 151 Protects its processes via BreakOnTermination flag 36->151 163 5 other signatures 36->163 47 powershell.exe 36->47         started        153 Writes to foreign memory regions 39->153 155 Allocates memory in foreign processes 39->155 157 Injects a PE file into a foreign processes 39->157 49 MSBuild.exe 39->49         started        135 192.168.2.8, 1649, 443, 49673 unknown unknown 41->135 81 C:\Users\user\AppData\Local\...\wukwey4t.0.cs, Unicode 41->81 dropped 83 C:\Users\user\AppData\...\qucnyjul.cmdline, Unicode 41->83 dropped 159 Monitors registry run keys for changes 41->159 165 2 other signatures 41->165 52 csc.exe 3 41->52         started        54 csc.exe 3 41->54         started        56 csc.exe 41->56         started        58 8 other processes 41->58 file13 signatures14 process15 dnsIp16 95 C:\Users\user\AppData\Local\...\RZOEIF.exe, PE32 43->95 dropped 207 Multi AV Scanner detection for dropped file 43->207 60 RZOEIF.exe 43->60         started        209 Loading BitLocker PowerShell Module 47->209 64 conhost.exe 47->64         started        107 liaxn.xyz 144.172.115.212, 443, 49822 QUICKPACKETUS United States 49->107 211 Query firmware table information (likely to detect VMs) 49->211 213 Tries to harvest and steal ftp login credentials 49->213 215 Tries to harvest and steal browser information (history, passwords, etc) 49->215 217 2 other signatures 49->217 97 C:\Users\user\AppData\Local\...\qucnyjul.dll, PE32 52->97 dropped 66 cvtres.exe 1 52->66         started        99 C:\Users\user\AppData\Local\...\kwj5bosb.dll, PE32 54->99 dropped 68 cvtres.exe 54->68         started        101 C:\Users\user\AppData\Local\...\b5udjik3.dll, PE32 56->101 dropped 70 cvtres.exe 56->70         started        109 apis.google.com 58->109 111 ogads-pa.clients6.google.com 142.251.163.95, 443, 49720, 49722 GOOGLEUS United States 58->111 113 4 other IPs or domains 58->113 103 C:\Users\user\AppData\Local\...\wukwey4t.dll, PE32 58->103 dropped 72 cvtres.exe 58->72         started        file17 signatures18 process19 file20 105 C:\Users\user\AppData\Local\...\TRPHWH.exe, PE32+ 60->105 dropped 219 Multi AV Scanner detection for dropped file 60->219 221 Creates multiple autostart registry keys 60->221 74 TRPHWH.exe 60->74         started        signatures21 process22 signatures23 193 Multi AV Scanner detection for dropped file 74->193 195 Writes to foreign memory regions 74->195 197 Allocates memory in foreign processes 74->197 199 Injects a PE file into a foreign processes 74->199
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/33033f739d757918a5a69c6d0d47fceb724128dd2fa0f2bb76d6a307f283d26f
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/7cb234996fa7d52587a676bbb74d36fc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33033f739d757918a5a69c6d0d47fceb724128dd2fa0f2bb76d6a307f283d26f/
Threat name:
Win64.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-07-06 15:37:43 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gmbt6445ov4rrjngtrwq2r745nzeckg5f6qpfo3w22rqp4ud2jxq._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:njrat family:quasar family:vidar family:xworm botnet:6ba07e05801c4c8c8f765cb08db1a3b2 botnet:google chrome botnet:hacked credential_access cryptone defense_evasion discovery execution packer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250707-qtpr3sdm8w/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Drops startup file
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Uses browser remote debugging
CryptOne packer
Detect Vidar Stealer
Detect Xworm Payload
Lumma Stealer, LummaC
Lumma family
Njrat family
Quasar RAT
Quasar family
Quasar payload
Vidar
Vidar family
Xworm
Xworm family
njRAT/Bladabindi
Malware Config
C2 Extraction:
https://t.me/g0e7qx
https://steamcommunity.com/profiles/76561199874190020
https://liaxn.xyz/nbzh
https://ycvduc.xyz/trie
https://nbcsfar.xyz/tpxz
https://cbakk.xyz/ajng
https://trsuv.xyz/gait
https://sqgzl.xyz/taoa
https://cexpxg.xyz/airq
https://urarfx.xyz/twox
66.63.187.164:8594
66.63.187.164:8596
66.63.187.164:8595
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c37c6de0-84d0-446d-8230-aadebe07ebb3
Unpacked files
SH256 hash:
33033f739d757918a5a69c6d0d47fceb724128dd2fa0f2bb76d6a307f283d26f
MD5 hash:
7cb234996fa7d52587a676bbb74d36fc
SHA1 hash:
d473a9b6550b5dba82dd6eccde10df1d9ef2ebb8
Link:
https://www.unpac.me/results/debecae5-04b0-4cb5-a36c-fd191f9507ed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/33033f739d757918a5a69c6d0d47fceb724128dd2fa0f2bb76d6a307f283d26f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe 33033f739d757918a5a69c6d0d47fceb724128dd2fa0f2bb76d6a307f283d26f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3562395/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/12681/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExA

Comments