MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35dcbe95b9ca79381e4d0a11561194439d554ed6e245b2e73700ece1f60fe884. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35dcbe95b9ca79381e4d0a11561194439d554ed6e245b2e73700ece1f60fe884
SHA3-384 hash: 948bd1d4a0b7aeedc99cd1a20de00fabec7f52151b240428c0036d7138af2a483517cbf3ae6f29d15cc95936597fb4e8
SHA1 hash: 7ddde7697b4aa24b57eda23a7741b70a7e21b522
MD5 hash: 6f3eadb0df1b0ca3e74916abfbfc37f5
humanhash: virginia-table-ohio-pip
File name:file
Download: download sample
Signature XWorm
Create hunting rule
File size:294'400 bytes
First seen:2023-03-21 13:30:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 3072:GBgHR3DD/SjJartwvmzzEQQ2PIbBtelpGp6ClHtVWp4+f8MMMMMMMMMMQMMTMMMJ:H3/0MrvzoQQ2emI6ClHtVWpaV
Threatray 539 similar samples on MalwareBazaar
TLSH T1115438123640DA1AC43C923C6FE1CF896631CAE46DA30797BAB25B15D9B6FEB3D05304
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 00cc8e69d4d4d400 (2 x XWorm)
Reporter jstrosch
Tags:.NET exe MSIL xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-21 13:31:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f2d50f3a-8ed1-4c12-8237-a347277acd1b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Running batch commands
Creating a file in the %AppData% subdirectories
Launching a process
Сreating synchronization primitives
Creating a window
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a process from a recently created file
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6419b164da1bbe29caf950fe/reports/2db9f301-780f-477f-8450-743d9e954194/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/35dcbe95b9ca79381e4d0a11561194439d554ed6e245b2e73700ece1f60fe884
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a4ad1c3-323b-4380-8095-c6f439ac5417
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1198568
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Drops PE files with benign system names
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 831470 Sample: file.exe Startdate: 21/03/2023 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 8 other signatures 2->74 7 file.exe 2 2->7         started        11 svchost.exe 1 2->11         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        process3 file4 60 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 7->60 dropped 76 Injects a PE file into a foreign processes 7->76 17 cmd.exe 2 7->17         started        20 cmd.exe 3 7->20         started        23 file.exe 2 7->23         started        26 cmd.exe 1 7->26         started        78 Multi AV Scanner detection for dropped file 11->78 80 Machine Learning detection for dropped file 11->80 28 cmd.exe 11->28         started        32 3 other processes 11->32 30 cmd.exe 13->30         started        34 3 other processes 13->34 36 4 other processes 15->36 signatures5 process6 dnsIp7 64 Uses schtasks.exe or at.exe to add and modify task schedules 17->64 66 Drops PE files with benign system names 17->66 38 conhost.exe 17->38         started        56 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 20->56 dropped 58 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 20->58 dropped 40 conhost.exe 20->40         started        62 david1234.duckdns.org 193.47.61.37, 49691, 7000 TH-AS-APTianhaiInfoTechCN Germany 23->62 42 conhost.exe 26->42         started        44 schtasks.exe 1 26->44         started        46 2 other processes 28->46 48 2 other processes 30->48 50 2 other processes 32->50 52 2 other processes 34->52 54 4 other processes 36->54 file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35dcbe95b9ca79381e4d0a11561194439d554ed6e245b2e73700ece1f60fe884/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2023-03-20 17:34:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gxol5fnzzj4tqhsnbiivmemuioovktww4jc3fzzxadwod5qp5cca._file
Verdict:
malicious
Similar samples:
02f309fb8e7481c72fd89103c8895d1da42b049754f97216499418f702272752
XWorm
0342c1457d9394f575a311a7b5e2557860289a71c90ed0f5736e8410f5849d59
XWorm
0448f4f757e01709d74245010afcfe84924e4fd24cb20e54ffa1ebef8e28b48b
XWorm
11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
XWorm
20343f047964ef95901941b2406ee66ec976e2d849abbe991f94b6a0fe634881
XWorm
210e2cc9b49c52873cff318bbbb0502856e31c071dd7fe403933528c4847786f
XWorm
511424733d00ca86c76024260a3ca99f6e32d229ac552b9d3706bd6610a907f6
XWorm
780cbba379a56a25ef456dbbc7aaabe9891c816183d85fe3691fb4a700bb8a42
XWorm
affd4b17fb142660b6ab9ab7e98bc84c4e8c2c1fbe3b9f3e664fa8e902efc816
XWorm
cba8e79b90c98fe396da2d0243e1c98b13bdf586b8e60034be52fe6efdc42ce8
XWorm
+ 529 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230321-qrtm9aaf68/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Executes dropped EXE
Unpacked files
SH256 hash:
9feddd4893c2ca6014d825c186f25c26ae6fba0d43f1c366250262985f1c5c1d
MD5 hash:
33b47b06681eb49f9f56741b4dbd2ce1
SHA1 hash:
c05c634abfe7879d18409151f3ce07f240c6b105
Link:
https://www.unpac.me/results/bc194073-4019-496d-868a-e2c44896214b/
SH256 hash:
35dcbe95b9ca79381e4d0a11561194439d554ed6e245b2e73700ece1f60fe884
MD5 hash:
6f3eadb0df1b0ca3e74916abfbfc37f5
SHA1 hash:
7ddde7697b4aa24b57eda23a7741b70a7e21b522
Link:
https://www.unpac.me/results/bc194073-4019-496d-868a-e2c44896214b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/35dcbe95b9ca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35dcbe95b9ca79381e4d0a11561194439d554ed6e245b2e73700ece1f60fe884

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe 35dcbe95b9ca79381e4d0a11561194439d554ed6e245b2e73700ece1f60fe884

(this sample)

  
Delivery method
Distributed via web download

Comments