MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3847b2b3358e1367eea88ac614bcb5d760126b5a9fa59513966197b10b2f99a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3847b2b3358e1367eea88ac614bcb5d760126b5a9fa59513966197b10b2f99a6
SHA3-384 hash: 4774d91b1135b37cd696bcc0643d33a156f91000e2e585c533eb592bacbc7e5d751dd82d9cb6d3fad1fb5214456e5d52
SHA1 hash: c3bb1ee558c303c86200709144c23b938824c0cb
MD5 hash: c470470673fa6f77d53a7b251bc10be6
humanhash: pluto-saturn-zulu-skylark
File name:c470470673fa6f77d53a7b251bc10be6.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:7'223'296 bytes
First seen:2025-08-21 12:53:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 196608:wE5tz5YP32M2Vcvi5FDnkCOu53y6egMUAQ:J5tz5vJEwnk9u54U9
Threatray 10 similar samples on MalwareBazaar
TLSH T11676335612A54CF9C52A67772CED52B3C220CACB837703F43F4A2239959A2F6D5702F9
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 58d8b26340809adc (7 x DCRat, 2 x XWorm, 1 x AsyncRAT)
Reporter abuse_ch
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c470470673fa6f77d53a7b251bc10be6.exe
Verdict:
Malicious activity
Analysis date:
2025-08-21 13:06:41 UTC
Tags:
auto-reg github telegram auto-startup xworm stealer auto-sch sheet rat ms-smartcard crypto-regex ims-api generic
Link:
https://app.any.run/tasks/cb35e661-3536-4ce4-b120-ca9597b2a89a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/22771/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a716d98fd55a79c529b777
Tags:
asyncrat autorun emotet proxy
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a file
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the system32 directory
Running batch commands
Creating a file in the Windows directory
Enabling the libraries to load when starting the app (AppInit_DLLs)
Launching a process
DNS request
Creating a window
Sending a UDP request
Connection attempt
Sending a custom TCP request
Loading a suspicious library
Creating a file in the Program Files subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Query of malicious DNS domain
Connection attempt to an infection source
Adding an exclusion to Microsoft Defender
Enabling autorun
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet venomrat
Link:
https://www.filescan.io/uploads/68a7173e4a87ed796766e8f6/reports/03bc8576-de46-43ca-bf9e-a95e22907add/overview
Verdict:
Malicious
Labled as:
Backdoor.Marte.VenomRAT.Generic
Link:
https://www.hybrid-analysis.com/sample/3847b2b3358e1367eea88ac614bcb5d760126b5a9fa59513966197b10b2f99a6
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0993b0c6-c3cb-4352-81fb-6d54f60d74e1
Result
Threat name:
Salat Stealer, SheetRat, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1761972
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allows loading of unsigned dll using appinit_dll
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Check if machine is in data center or colocation facility
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Schedule system process
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Salat Stealer
Yara detected SheetRat
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1761972 Sample: Xz5aBxFf1N.exe Startdate: 21/08/2025 Architecture: WINDOWS Score: 100 112 api.telegram.org 2->112 114 ip-api.com 2->114 116 3 other IPs or domains 2->116 132 Suricata IDS alerts for network traffic 2->132 134 Malicious sample detected (through community Yara rule) 2->134 136 Antivirus detection for dropped file 2->136 140 21 other signatures 2->140 10 Xz5aBxFf1N.exe 4 6 2->10         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        19 7 other processes 2->19 signatures3 138 Uses the Telegram API (likely for C&C communication) 112->138 process4 dnsIp5 98 C:\Users\user\AppData\Local\...\xsvchost.exe, PE32 10->98 dropped 100 C:\Users\user\AppData\Local\...\svchost.exe, PE32 10->100 dropped 102 C:\Users\user\AppData\Local\Temp\steam.exe, PE32+ 10->102 dropped 104 2 other malicious files 10->104 dropped 180 Creates multiple autostart registry keys 10->180 182 Bypasses PowerShell execution policy 10->182 184 Adds a directory exclusion to Windows Defender 10->184 186 Drops PE files with benign system names 10->186 21 xsvchost.exe 10->21         started        26 svchost.exe 4 6 10->26         started        28 Extreme Injector Neo.exe 10->28         started        34 6 other processes 10->34 188 Changes security center settings (notifications, updates, antivirus, firewall) 14->188 110 127.0.0.1 unknown unknown 16->110 30 WerFault.exe 19->30         started        32 steamwebhelper.exe 19->32         started        file6 signatures7 process8 dnsIp9 128 api.telegram.org 149.154.167.220, 443, 49719 TELEGRAMRU United Kingdom 21->128 84 C:\Users\user\AppData\Local\...\dllhost.exe, PE32 21->84 dropped 158 Multi AV Scanner detection for dropped file 21->158 160 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->160 162 Protects its processes via BreakOnTermination flag 21->162 176 2 other signatures 21->176 36 dllhost.exe 21->36         started        40 powershell.exe 21->40         started        42 powershell.exe 21->42         started        51 4 other processes 21->51 130 PULSARRR-33300.portmap.io 193.161.193.99, 33300, 49692, 49697 BITREE-ASRU Russian Federation 26->130 86 C:\Windows\xdwd.dll, PE32+ 26->86 dropped 88 C:\Windows\System32\WindowsDefender.exe, PE32 26->88 dropped 90 C:\Users\user\AppData\Local\svchost.exe, PE32 26->90 dropped 164 System process connects to network (likely due to code injection or exploit) 26->164 166 Creates an undocumented autostart registry key 26->166 168 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 26->168 178 3 other signatures 26->178 44 cmd.exe 26->44         started        53 11 other processes 26->53 92 C:\Users\user\AppData\...\steamwebhelper.exe, PE32 28->92 dropped 94 C:\Users\user\...xtreme Injector v3.exe, PE32 28->94 dropped 46 steamwebhelper.exe 28->46         started        49 Extreme Injector v3.exe 28->49         started        170 Found many strings related to Crypto-Wallets (likely being stolen) 34->170 172 Writes to foreign memory regions 34->172 174 Loading BitLocker PowerShell Module 34->174 55 5 other processes 34->55 file10 signatures11 process12 dnsIp13 118 ip-api.com 208.95.112.1, 443, 49716 TUT-ASUS United States 36->118 142 System process connects to network (likely due to code injection or exploit) 36->142 144 Multi AV Scanner detection for dropped file 36->144 146 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->146 148 Queries memory information (via WMI often done to detect virtual machines) 36->148 57 WerFault.exe 36->57         started        150 Loading BitLocker PowerShell Module 40->150 60 conhost.exe 40->60         started        62 conhost.exe 42->62         started        152 Uses schtasks.exe or at.exe to add and modify task schedules 44->152 70 2 other processes 44->70 120 8.8.4.4, 443, 57609, 60870 GOOGLEUS United States 46->120 122 dns.google 8.8.8.8, 443, 57604, 57605 GOOGLEUS United States 46->122 124 104.21.16.1, 443, 57607, 60872 CLOUDFLARENETUS United States 46->124 106 C:\...\b4nx9CkwPAVKstJ16M7O.exe, PE32 46->106 dropped 108 C:\...\3LplLncDUGfzpfMM.exe, PE32 46->108 dropped 154 Found many strings related to Crypto-Wallets (likely being stolen) 46->154 156 Creates multiple autostart registry keys 46->156 64 3LplLncDUGfzpfMM.exe 46->64         started        126 raw.githubusercontent.com 185.199.108.133, 443, 49702, 49715 FASTLYUS Netherlands 49->126 72 3 other processes 51->72 66 schtasks.exe 53->66         started        68 conhost.exe 53->68         started        74 20 other processes 53->74 file14 signatures15 process16 file17 96 C:\ProgramData\Microsoft\...\Report.wer, Unicode 57->96 dropped 76 Conhost.exe 60->76         started        78 Conhost.exe 66->78         started        80 Conhost.exe 68->80         started        82 Conhost.exe 74->82         started        process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3847b2b3358e1367eea88ac614bcb5d760126b5a9fa59513966197b10b2f99a6
Verdict:
inconclusive
YARA:
11 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.20 Win 32 Exe x86
Link:
https://app.malva.re/file/c470470673fa6f77d53a7b251bc10be6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3847b2b3358e1367eea88ac614bcb5d760126b5a9fa59513966197b10b2f99a6/
Threat name:
Win32.Backdoor.MarteVenomRAT
Create hunting rule
Status:
Malicious
First seen:
2025-08-09 20:07:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hbd3fmzvryjwp3virldbjpfv25qbe222t6szke4wmgl3cczptgta._file
Verdict:
malicious
Label(s):
balkanrat
Create hunting rule
Similar samples:
048de3a8928baf0e340d1331f4b3d9b115c7c7a3f088459e9b2e2ed60847f164
XWorm
3847b2b3358e1367eea88ac614bcb5d760126b5a9fa59513966197b10b2f99a6
XWorm
4b2f7b4605c6c357a779a5979256b432b601d06773b816cf66724f01797845c4
XWorm
ab6b0c8a2fd898517ff036b9fc94ce581febdab5a69433f491fb70bc55ee1833
XWorm
error
XWorm
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:gurcu family:salatstealer family:xworm credential_access defense_evasion discovery execution persistence privilege_escalation rat spyware stealer trojan upx
Link:
https://tria.ge/reports/250821-p5dnhsbp5x/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Event Triggered Execution: AppInit DLLs
Modifies trusted root certificate store through registry
Contains code to disable Windows Defender
Detect SalatStealer payload
Detect Xworm Payload
Gurcu family
Gurcu, WhiteSnake
Salatstealer family
Xworm
Xworm family
salatstealer
Malware Config
C2 Extraction:
PULSARRR-33300.portmap.io:33300
https://api.telegram.org/bot8456009758:AAFz4SUn8S7LWmHKvqoomIM2YIf0DIHf9h0/sendMessage?chat_id=1682438732
Verdict:
Malicious
Tags:
Win.Packed.Packy-10033570-0
YARA:
n/a
Link:
https://app.threat.zone/submission/f823cd72-8d1d-4ce1-bb4a-ccae0aea2743
Unpacked files
SH256 hash:
3847b2b3358e1367eea88ac614bcb5d760126b5a9fa59513966197b10b2f99a6
MD5 hash:
c470470673fa6f77d53a7b251bc10be6
SHA1 hash:
c3bb1ee558c303c86200709144c23b938824c0cb
Link:
https://www.unpac.me/results/73199334-46c4-4b3f-8b1a-0356dd037d49/
SH256 hash:
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
MD5 hash:
16e5a492c9c6ae34c59683be9c51fa31
SHA1 hash:
97031b41f5c56f371c28ae0d62a2df7d585adaba
Link:
https://www.unpac.me/results/73199334-46c4-4b3f-8b1a-0356dd037d49/
SH256 hash:
e912f47089fab02f70c18ccef2e05ab429be953a13f5dbe477fd6f89edce8084
MD5 hash:
22a5b020e27d2b0784f57fac48da0d25
SHA1 hash:
3b72a1f9bc7d27907aa0f7ee25d9c9de82a39f31
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
INDICATOR_EXE_Packed_Goliath
Create hunting rule
Link:
https://www.unpac.me/results/73199334-46c4-4b3f-8b1a-0356dd037d49/
SH256 hash:
b1d95dcddc79544793f9d621dbc06a6096c0b032e207f802a9a9531c91a9564b
MD5 hash:
2a2e508b93ac3d680861d37cf1028587
SHA1 hash:
5147be780c107acd30c252df347f0744c7642a8e
Detections:
win_xworm_w0
Create hunting rule
win_xworm_bytestring
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/73199334-46c4-4b3f-8b1a-0356dd037d49/
SH256 hash:
7a42fbac6188e79e640ee9dbe6f06ec613e731f58e7e1d6aba46572434ed90aa
MD5 hash:
e53b4d9571548fe2c5506fbc0e289916
SHA1 hash:
3ae7747179f1853ead9a84b9f30f6f4c6d71cdb4
Link:
https://www.unpac.me/results/73199334-46c4-4b3f-8b1a-0356dd037d49/
SH256 hash:
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
MD5 hash:
ec801a7d4b72a288ec6c207bb9ff0131
SHA1 hash:
32eec2ae1f9e201516fa7fcdc16c4928f7997561
Detections:
INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
INDICATOR_EXE_Packed_Goliath
Create hunting rule
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/73199334-46c4-4b3f-8b1a-0356dd037d49/
Parent samples :
c332bac5bfa6b4e806dbe65ff8b4041c7d931e6709349218f361437e1ae52c2f
261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc
cc92c665e4e26f4bf880e69666f019f9d568533510d8ca3d5e4651c1e121231e
b99cd41e40fa63ebe8efc4f1263d9fe3c0151a05ac580ee5421ca365f163e5ea
709f5ad2bad14a2c881948f0ddb7b7f67e1b91ef981541f735c6a90e34c566fb
1691f0ab36468cfed1f7ebead04c3b46c11c4d8614aed53ff7060e7e7d669a4c
3847b2b3358e1367eea88ac614bcb5d760126b5a9fa59513966197b10b2f99a6
bdcdd7e8a1780076e09fa5f1635603ed07199a0f8a595e7ad5c089887d5a4cbf
dc8decaba2fbe09e0ca95485ed06376e65ba7e77869868beecf8f937747a213f
4e57af02f430ffdacb81b8b597b251bac12de9c0703fb5325411dc83ca8d8e11
SH256 hash:
ea8a215c04750fe493f18aceeb4afacf4fedc4c105add415f5889188bd048c63
MD5 hash:
32d0c98e2d2dabf436095e0eb4f32c5f
SHA1 hash:
50ba3072a6ff8018ad58211a7ace7382b6ce731e
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/73199334-46c4-4b3f-8b1a-0356dd037d49/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3847b2b3358e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/22771/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments