MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 392d7cb3aef7c58452ef07b02dd8f63e680c913f5ce4d94553adf86241b389e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XBinder

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	392d7cb3aef7c58452ef07b02dd8f63e680c913f5ce4d94553adf86241b389e7
SHA3-384 hash:	6354b51f32003b48b882cb5dc6f0c6efb538b804f03fa82d4d9667217d614b9071d5e33b50a20e43b22f029819b2c3dc
SHA1 hash:	8ae351b9b9e2ad8d9b68c1bc70892db5aefdac21
MD5 hash:	dff11248cb2fef62978f0f6909625a63
humanhash:	seventeen-earth-video-wisconsin
File name:	392d7cb3aef7c58452ef07b02dd8f63e680c913f5ce4d94553adf86241b389e7
Download:	download sample
Signature	XBinder Create hunting rule
File size:	10'379'776 bytes
First seen:	2026-02-02 20:05:20 UTC
Last seen:	2026-02-02 20:23:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'757 x AgentTesla, 19'664 x Formbook, 12'254 x SnakeKeylogger)
ssdeep	196608:z6n0oLeJkck3trXZiJuYJijwt8vYx5UwD3M+5/dwJOWpZHZ0EKH7Se:zCeJBuYBJzy055A4/CHyEKH
Threatray	81 similar samples on MalwareBazaar
TLSH	T1DCA63355F4E5AF09ECEF50F026D395E96058E7849913AB0453DA0DA128B2327CDBB0BF
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	Neiki
Tags:	exe xbinder

Intelligence

File Origin

# of uploads :

# of downloads :

142

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

EvilCoder

Details

EvilCoder

extracted components, their filepaths, and possibly registry installation

Link:

https://research.acce.ciphertechsolutions.com/results/6011243a-ed43-4b55-8e04-0be6285d3e01/

Malware family:

n/a

ID:

File name:

AorusLauncher.exe

Verdict:

No threats detected

Analysis date:

2026-02-02 19:59:54 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e7c4b30a-7975-4e73-aa45-d9568ec5a218

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

A310Logger

Link:

https://www.capesandbox.com/analysis/51340/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6981023c4cec271dd7053601

Tags:

vmdetect

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Connection attempt

Sending an HTTP GET request

Launching a process

Creating a window

Searching for the window

Searching for synchronization primitives

Changing a file

Creating a process with a hidden window

Reading critical registry keys

Moving a recently created file

Replacing files

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

explorer lolbin packed reconnaissance vbnet

Link:

https://www.filescan.io/uploads/69810386981ff1d38a45605c/reports/68297e9a-971a-48fe-8905-61a0bfe12241/overview

Verdict:

Malicious

Labled as:

MSIL.Packy.Generic

Link:

https://www.hybrid-analysis.com/sample/392d7cb3aef7c58452ef07b02dd8f63e680c913f5ce4d94553adf86241b389e7

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-02-02T17:04:00Z UTC

Last seen:

2026-02-04T11:05:00Z UTC

Hits:

~100

Detections:

Trojan-PSW.MSIL.DiscoStealer.sb Trojan.MSIL.Agent.sba Trojan-PSW.Win32.Disco.sb Trojan-PSW.Win32.Coins.sb Trojan-PSW.Win32.Agent.sb Trojan-PSW.MSIL.Stealer.sb Trojan-GameThief.MSIL.Worgtop.c Trojan-Banker.MSIL.Evital.gen HEUR:Trojan.MSIL.Revenge.gen Trojan-PSW.MSIL.Agent.sb Trojan-PSW.Win32.Stealer.sb Trojan-GameThief.Win32.Worgtop.f Trojan-GameThief.MSIL.Worgtop.b Trojan.MSIL.Agent.sb HEUR:Trojan-PSW.MSIL.Stealer.gen PDM:Trojan.Win32.Generic Trojan.Win32.Agent.sb

Link:

https://opentip.kaspersky.com/392d7cb3aef7c58452ef07b02dd8f63e680c913f5ce4d94553adf86241b389e7/results?tab=lookup

Malware family:

ModernLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d7aa3ea6-3734-46e7-8283-8ce6965c785e

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/392d7cb3aef7c58452ef07b02dd8f63e680c913f5ce4d94553adf86241b389e7

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.21 Win 32 Exe x86

Link:

https://app.malva.re/file/dff11248cb2fef62978f0f6909625a63

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/392d7cb3aef7c58452ef07b02dd8f63e680c913f5ce4d94553adf86241b389e7/

Verdict:

Malicious

Threat:

Family.XBINDER

Link:

https://tip.neiki.dev/file/392d7cb3aef7c58452ef07b02dd8f63e680c913f5ce4d94553adf86241b389e7

Threat name:

ByteCode-MSIL.Trojan.XWormRAT

Status:

Malicious

First seen:

2026-02-02 19:59:57 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 35 (71.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hewxzm5o67cyiuxpa6yc3whwhzuazej7ltsnsrktvx4geqntrhtq._file

Verdict:

malicious

Label(s):

unc_loader_063

unixstealer

arcaneloader

XBinder

23d7babb495752b4da776ec6d2fff0d9d5ce141a8245f43ba45a91033e17a6c7

XBinder

34822acd6910204466df919f3ffb25cad90518d54a6945b143fd2705283112bd

XBinder

392d7cb3aef7c58452ef07b02dd8f63e680c913f5ce4d94553adf86241b389e7

XBinder

42cfb7c71744bc3f0fcf02e326f2d85b0b285a02a2a75b4578c34f592eb0af59

XBinder

error

XBinder

+ 71 additional samples on MalwareBazaar

Result

Malware family:

growtopia

Score:

10/10

Tags:

family:blackguard family:growtopia discovery stealer

Link:

https://tria.ge/reports/260202-yt5gjabv5b/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Time Discovery

Drops file in Program Files directory

Drops file in Windows directory

Checks computer location settings

Executes dropped EXE

BlackGuard

Blackguard family

Growtopia

Growtopia family

Unpacked files

SH256 hash:

392d7cb3aef7c58452ef07b02dd8f63e680c913f5ce4d94553adf86241b389e7

MD5 hash:

dff11248cb2fef62978f0f6909625a63

SHA1 hash:

8ae351b9b9e2ad8d9b68c1bc70892db5aefdac21

Link:

https://www.unpac.me/results/4f693fd6-28f5-4c11-aeab-d4b0155d60a4/

SH256 hash:

502108915cea00aae19e599144e535a0922adc283ccf7755d4fcca99e4f95dc1

MD5 hash:

b82ff9f226122c74f5b15aee762d207c

SHA1 hash:

8a7a92f8d29e2a7117095ad407a66a8fd4d2229a

Detections:

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_ClearWinLogs

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_VM_Evasion_MACAddrComb

INDICATOR_SUSPICIOUS_EXE_CC_Regex

INDICATOR_SUSPICIOUS_EXE_Discord_Regex

INDICATOR_SUSPICIOUS_EXE_References_VPN

MALWARE_Win_A310Logger

Link:

https://www.unpac.me/results/4f693fd6-28f5-4c11-aeab-d4b0155d60a4/

Parent samples :

231fd53698c2b599aebbc7bc2ac24d813f06a20684283a4d9cfcebdc4004ad94
392d7cb3aef7c58452ef07b02dd8f63e680c913f5ce4d94553adf86241b389e7
1cc0b85cabbabadddcdfccfd60b96ad24fb4efcd289e06d7d55cec91ef878474

SH256 hash:

7a57f57d54143a8ae02fb83206a984a6df1c044d825f5622a523a637090691ae

MD5 hash:

07fc2f294cce8d94243c20e7f0bac94a

SHA1 hash:

caae4971b32acb3da2d5c7c57acc2a12881cab12

Detections:

INDICATOR_EXE_Packed_Fody

Link:

https://www.unpac.me/results/4f693fd6-28f5-4c11-aeab-d4b0155d60a4/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/392d7cb3aef7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/392d7cb3aef7c58452ef07b02dd8f63e680c913f5ce4d94553adf86241b389e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://www.threat.rip/file/392d7cb3aef7c58452ef07b02dd8f63e680c913f5ce4d94553adf86241b389e7

Cape

https://www.capesandbox.com/analysis/51340/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample