MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ca2df830068d109a89d63e7e151817cad8304ef3b01f0f2a8ac0016d3f4f8f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 18

Intelligence 18 IOCs 1 YARA 4 File information Comments

SHA256 hash:	3ca2df830068d109a89d63e7e151817cad8304ef3b01f0f2a8ac0016d3f4f8f4
SHA3-384 hash:	287e4581dfebc4fb71512a80dd147264c70e7b0b04322dbea62522b36027368b8898c494197dde686606e28e4c77b350
SHA1 hash:	b993b288840f810895395bf26a6d64647f6da28c
MD5 hash:	e562cfcbd98a86a4f11ef2cde4ec6260
humanhash:	king-yankee-yellow-echo
File name:	payload2.exe
Download:	download sample
Signature	XWorm Create hunting rule
File size:	29'184 bytes
First seen:	2025-10-09 10:32:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	384:SBx/SCB8cqtCztBd9Hy2inYs30KyLfzo8uiJhlHNMuHpdkbwu+2DZwndh8hqb8Dl:ixqCBhRD9Hy2if3tyLfHz6birQp
Threatray	980 similar samples on MalwareBazaar
TLSH	T1D8D2B0127BBE8264D4EE0B3E887342A40139F9D62A63CA5E8DD4805F5DEB7C1CF42790
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	ShadowOpCode
Tags:	exe xworm

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
216.9.227.107:1122	https://threatfox.abuse.ch/ioc/1608270/

Intelligence

File Origin

# of uploads :

# of downloads :

111

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

payload2.exe

Verdict:

Malicious activity

Analysis date:

2025-10-09 10:34:48 UTC

Tags:

auto-startup telegram xworm remote ims-api generic

Link:

https://app.any.run/tasks/6025490b-6897-41ab-aa24-850ead7999c1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/31263/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68e78f777f305fa2545de6da

Tags:

autorun extens keylog blic

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %AppData% directory

Creating a window

Using the Windows Management Instrumentation requests

Sending a custom TCP request

DNS request

Connection attempt

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Setting a global event handler for the keyboard

Connection attempt to an infection source

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm base64 fingerprint packed reconnaissance

Link:

https://www.filescan.io/uploads/68e78f77d4a0085473c551a2/reports/003ad262-9a60-40ef-94a9-701b786d117c/overview

Verdict:

Malicious

Labled as:

IL:Trojan.MSILZilla

Link:

https://www.hybrid-analysis.com/sample/3ca2df830068d109a89d63e7e151817cad8304ef3b01f0f2a8ac0016d3f4f8f4

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-09T07:47:00Z UTC

Last seen:

2025-10-11T01:31:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan.Win32.Generic Backdoor.MSIL.XWorm.b Backdoor.MSIL.Agent.sb PDM:Trojan.Win32.Generic HEUR:Backdoor.MSIL.XClient.b Backdoor.Agent.TCP.C&C Trojan.MSIL.Agent.sb Backdoor.MSIL.XWorm.a Backdoor.XWorm.HTTP.C&C Trojan.Win32.Agent.sb Trojan.MSIL.Crypt.sb

Link:

https://opentip.kaspersky.com/3ca2df830068d109a89d63e7e151817cad8304ef3b01f0f2a8ac0016d3f4f8f4/results?tab=lookup

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/47da2f0a-0e44-4c8c-b342-2f3d0a8cdb81

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3ca2df830068d109a89d63e7e151817cad8304ef3b01f0f2a8ac0016d3f4f8f4

Verdict:

inconclusive

YARA:

9 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.46 Win 32 Exe x86

Link:

https://app.malva.re/file/e562cfcbd98a86a4f11ef2cde4ec6260

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3ca2df830068d109a89d63e7e151817cad8304ef3b01f0f2a8ac0016d3f4f8f4/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/3ca2df830068d109a89d63e7e151817cad8304ef3b01f0f2a8ac0016d3f4f8f4

Threat name:

ByteCode-MSIL.Trojan.Zilla

Status:

Malicious

First seen:

2025-10-09 10:46:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hsrn7ayandiqtke5mpt6cumbpswygbhphma7b4vivqabnu7u7d2a._file

Verdict:

malicious

Label(s):

xworm

XWorm

169d87b4ec1fca136e4738b4a9a94210a605b8d4d39e4cf7288b34024c604288

XWorm

1d45eb7d7e5c1aff275b8cb671dace325f8f18932b186475240a2026115e92cc

XWorm

36de97d34c27bc19163101bfcc6a8a32bf411fd099119cd04a86a40dda4bac4d

XWorm

9a843a46b22077ebb8e5bc72a519bee7c53d928f0ca0f5f1b81067970c3de735

XWorm

a02f741d30e33d72c6fdecf0ae1fafa2c44bfd40987a9480c2a11d8f5cd058d4

XWorm

c41382baf0579770f75c871c2131638aa699af0e9e6a7fb44e053e325a55409f

XWorm

error

XWorm

+ 970 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm persistence rat trojan

Link:

https://tria.ge/reports/251009-mlrd6awrx4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Drops startup file

Executes dropped EXE

Detect Xworm Payload

Xworm

Xworm family

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d9fdcc5c-4ba8-409b-abad-187e998bda87

Unpacked files

SH256 hash:

3ca2df830068d109a89d63e7e151817cad8304ef3b01f0f2a8ac0016d3f4f8f4

MD5 hash:

e562cfcbd98a86a4f11ef2cde4ec6260

SHA1 hash:

b993b288840f810895395bf26a6d64647f6da28c

Link:

https://www.unpac.me/results/5442ed94-ef25-4a5d-98c2-8c03cf69e12c/

SH256 hash:

6747c14f3fbcfd649d9691621222a1814965a38c44d640b66d19b21f1936fbf2

MD5 hash:

b7597ed2a495b1463e1fae88b45da73b

SHA1 hash:

563d7cae05c479ce98236c1048e164598a08bd14

Detections:

win_xworm_a0

win_xworm_w0

XWorm

win_xworm_bytestring

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/5442ed94-ef25-4a5d-98c2-8c03cf69e12c/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3ca2df830068/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3ca2df830068d109a89d63e7e151817cad8304ef3b01f0f2a8ac0016d3f4f8f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/0bf356a2-2417-48d3-bd75-0be406580ee7

Cape

https://www.capesandbox.com/analysis/31263/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample