MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cdbdeddbb04d4382fdd85e848bbfbbcc01e3dfa25df1a96c7bc6a9d1f5bbd7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3cdbdeddbb04d4382fdd85e848bbfbbcc01e3dfa25df1a96c7bc6a9d1f5bbd7f
SHA3-384 hash: ed5aa8853752de3c835d6a7965947fc50ead13507a1471240ebc235380bb7db16e1a5de0b93f34f8e55b4980c84cd3e9
SHA1 hash: f7ff600c6eefed25b31490925450cd51a8b005f6
MD5 hash: a4661802477b9b7ef80b4284d440b252
humanhash: quiet-comet-kansas-artist
File name:MB267382625AE.PDF.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:565'248 bytes
First seen:2025-07-15 04:00:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:hlV5RSkAroJf/gazxirdn1GnHZCyTVNSpy0ygO7:h/5RSHatix1AHMy+QlN
TLSH T1A0C4F10DFA75AD20CA9D0F32832319B591AB9C57F626F71B0CC938C21F35B85D5CAA46
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon ccb66361791992cc (11 x Formbook, 6 x VIPKeylogger, 2 x XWorm)
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
167.160.161.140:1012

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
167.160.161.140:1012 https://threatfox.abuse.ch/ioc/1556792/

Intelligence

File Origin
# of uploads :
1
# of downloads :
37
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MB267382625AE.PDF.exe
Verdict:
Malicious activity
Analysis date:
2025-07-15 04:01:11 UTC
Tags:
auto-startup auto-sch-xml netreactor remote xworm crypto-regex
Link:
https://app.any.run/tasks/abfe4d79-ff58-4d43-ac3b-1d4f91b86849

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/14335/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6875d264900df8e7f86ae2e2
Tags:
micro spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Sending a custom TCP request
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 lolbin masquerade msbuild obfuscated packed reconnaissance regsvcs rezer0 roboski schtasks vbc vbnet xworm
Link:
https://www.filescan.io/uploads/6875d2607bc45bdee1ac56d7/reports/bae7d48c-9749-4ba8-afe0-2592e9ce2a58/overview
Verdict:
Malicious
Labled as:
HackTool[Obfuscator]/MSIL.DeepSea
Link:
https://www.hybrid-analysis.com/sample/3cdbdeddbb04d4382fdd85e848bbfbbcc01e3dfa25df1a96c7bc6a9d1f5bbd7f
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1b6de94e-d688-4dad-be74-ee926835ae42
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1736690
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1736690 Sample: MB267382625AE.PDF.exe Startdate: 15/07/2025 Architecture: WINDOWS Score: 100 65 xpwarzonlin2.ddns.net 2->65 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 81 17 other signatures 2->81 9 MB267382625AE.PDF.exe 7 2->9         started        13 IKReIg.exe 5 2->13         started        signatures3 79 Uses dynamic DNS services 65->79 process4 file5 57 C:\Users\user\AppData\Roaming\IKReIg.exe, PE32 9->57 dropped 59 C:\Users\user\...\IKReIg.exe:Zone.Identifier, ASCII 9->59 dropped 61 C:\Users\user\AppData\Local\...\tmp2B5B.tmp, XML 9->61 dropped 63 C:\Users\user\...\MB267382625AE.PDF.exe.log, ASCII 9->63 dropped 83 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->83 85 Bypasses PowerShell execution policy 9->85 87 Uses schtasks.exe or at.exe to add and modify task schedules 9->87 89 Adds a directory exclusion to Windows Defender 9->89 15 MB267382625AE.PDF.exe 6 9->15         started        20 powershell.exe 23 9->20         started        22 powershell.exe 23 9->22         started        28 2 other processes 9->28 91 Antivirus detection for dropped file 13->91 93 Multi AV Scanner detection for dropped file 13->93 95 Injects a PE file into a foreign processes 13->95 24 schtasks.exe 13->24         started        26 IKReIg.exe 13->26         started        signatures6 process7 dnsIp8 67 xpwarzonlin2.ddns.net 167.160.161.140, 1012, 49694 ASN-QUADRANET-GLOBALUS United States 15->67 55 C:\Users\user\AppData\Roaming\bin.exe, PE32 15->55 dropped 69 Adds a directory exclusion to Windows Defender 15->69 30 powershell.exe 15->30         started        33 powershell.exe 15->33         started        35 powershell.exe 15->35         started        37 powershell.exe 15->37         started        71 Loading BitLocker PowerShell Module 20->71 39 conhost.exe 20->39         started        41 conhost.exe 22->41         started        43 conhost.exe 24->43         started        45 conhost.exe 28->45         started        file9 signatures10 process11 signatures12 97 Loading BitLocker PowerShell Module 30->97 47 conhost.exe 30->47         started        49 conhost.exe 33->49         started        51 conhost.exe 35->51         started        53 conhost.exe 37->53         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3cdbdeddbb04d4382fdd85e848bbfbbcc01e3dfa25df1a96c7bc6a9d1f5bbd7f
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PE (Portable Executable) SOS: 0.04 Win 32 Exe x86
Link:
https://app.malva.re/file/a4661802477b9b7ef80b4284d440b252
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3cdbdeddbb04d4382fdd85e848bbfbbcc01e3dfa25df1a96c7bc6a9d1f5bbd7f/
Threat name:
ByteCode-MSIL.Trojan.XWorm
Create hunting rule
Status:
Malicious
First seen:
2025-07-15 04:00:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=htn55xn3atkdql65qxuero73xtab4pp2exprvfwhxrvj2h23xv7q._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
xworm
Create hunting rule
Similar samples:
error
XWorm
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat trojan
Link:
https://tria.ge/reports/250715-ekwy9azzbw/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4a38c64c-a9f8-4756-9e48-32eb14a9e736
Unpacked files
SH256 hash:
3cdbdeddbb04d4382fdd85e848bbfbbcc01e3dfa25df1a96c7bc6a9d1f5bbd7f
MD5 hash:
a4661802477b9b7ef80b4284d440b252
SHA1 hash:
f7ff600c6eefed25b31490925450cd51a8b005f6
Link:
https://www.unpac.me/results/64934ded-19b5-4b95-ac5f-976fc41f92db/
SH256 hash:
310d2591db538d776ed6249ec5491843a4aa7a8f36f8fadb15d7456a33f6c907
MD5 hash:
0cf78f255297e6e35abab43631b59e0c
SHA1 hash:
1aea51de062edaadff1b5d2ee01151f6d7077984
Detections:
win_xworm_w0
Create hunting rule
win_xworm_bytestring
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/64934ded-19b5-4b95-ac5f-976fc41f92db/
Parent samples :
3cdbdeddbb04d4382fdd85e848bbfbbcc01e3dfa25df1a96c7bc6a9d1f5bbd7f
1d026c14b484d4d249c82b889bab3523f5df51fc5522e482279c2b0d99b6b55a
f693db1218d19063d65f0617d326d298f67233cdbc4c3d3b9943987a91049508
b9cb68c5ee8eba74c54c45242cd0fddb6191b5488659ffee0adccad2d38d12c1
e980147feb749704db2b218c9bf20b80d8a616fc70d3a75a1b4f1f7c0b03b0d1
SH256 hash:
eca4853386708b06eccbe1de8b03cac99366ad7b8c2fa35923a50d2bbd55acc4
MD5 hash:
4b18fe3ed5d2f50b3d97e1f035b56e4c
SHA1 hash:
32b159b58ffc0c73d5f64f1dbb8ca30d6566b4de
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/64934ded-19b5-4b95-ac5f-976fc41f92db/
SH256 hash:
0ad9330f8096b30a282f53d51dfe44664f3ba3251199d25f097c01f43fe55aec
MD5 hash:
cc621595551035aa96c37e8738bfb040
SHA1 hash:
3507953a4fba3cf6df37347156f060e4e9e09ed7
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/64934ded-19b5-4b95-ac5f-976fc41f92db/
Parent samples :
06ede9a79380740bc6717b85c81962911c87ef299c0f9925e44cf66569784154
881666cfb7700551912b6f0b5ed601d61aa0c81576d53f69a43246b573832f8c
c45640db87251995dc06c2ea4ef6ca5c0922df2b54819c84f4ef3477a4cd23c1
371f1cb8f80e05125b0673ba6bcb23237cdfa3c66f2954561ee476b8d6f89e70
6ae17339b8a76cb12268e292ad1bd020e9b02acad06d868472bf00926bb83821
28dd00c9360fc7d7359113ee5599e0d902fdab71305d9f8ac52e97ccdfb1858b
939adafee7fd3b294a363969520389b8390412da3869677d34feeed44062abf2
b37ff76776a38f2a0ded7ae2220a44c0dfcb92ed88f135bb3f4443ad8b98548a
bae9c509299e16792064c4219babb32f5acaf456a067228c77320ae69c678d31
4c732e0d384f492723ed512743084b8d30e75dc836f9baec38435e7f7298a752
10b473d1b8926572686bf2c6b3bdbc67e18a8dbf066d7f392966bccac917c97a
b72158c1c37f7ef6edfe5511acd3c9f7131ee6093688290b33d250871d7b74fc
034376b7cdb06a63b0232f54fb906b95f37fc7f4921e9c6999c37f4aad9d61ba
3cdbdeddbb04d4382fdd85e848bbfbbcc01e3dfa25df1a96c7bc6a9d1f5bbd7f
6d8d665ed1c840de96732ee893e4fce02f684b81491b92291fb99d537cd2b933
71cc18003948de6d70cfef8ecad9a10d842c3c24d07488b7b1c040c39755fd2d
f10f2a163771c5a1a36a9c243b3887caa461b7c6340c069e16735e2ec7d89219
9b77205f51b2a49e9a04f112d14f350e37c0183fe87c0614b597f81c5d57a95d
d2d35b1008ab18a196bf68887081208b475a1a70a74ef2ee8da7fe065cc4ad09
32232a07b736cd0d8e26f355bb8132d736c71bdb01fe2a78e386664cccde6dbd
566ca7ccb9b63e49ff9bbfe0dc46bfc628d8232f7d45097eeb92518203711b5a
a8c09aa5ef25bcd378a81138c1eb67c3e259c3e1e8ab6a25d3f59859d0929937
8f59ab17a29c57035493103d83e22f6f1ee15d33df4164fc69f47918f177cc1e
36a075c198f7bd34a5a7ac2981d644428a32d32efdcb6f5a16ce1b085f0fc08e
d1a0edb84de425f4ab004ef17965b309fce345f682248865b34d9b4932d6f8f6
52f7d9e48e3bd296430db88b98ee848e1d5daec114c1f2afce6d1220a89e2914
a8561c312838771cf9a079cb93b31fe770796853a74b4306fd881e8dd4340479
1f51b1d0df7579263dcf24df5e1c929e697f6d10549086c366f673450b69e079
b11795618dd4c3d57ad342cade637ad1d96006c7d46e803bd9eb3bee29ef2b67
0edf6cb143e229fe20ab001a3807027e15681cf90663407519dacf6f3765c99f
3b8313decdeb72e5bc04326dcb9cedf06c1bcce618e5f65d84fe5f481f9af3c0
af94dfc71a87808a55b15f45c08c816f8c82eae3727760424c03d5c790613d06
d1811755daa3a02ad817f8b136e4c7b8299f8b17af7e38bdab0059986d510a7f
56a52da62bfba5f29ebc4c1ddff84bf2959c84db06fd685220ed910f18074e7b
1d026c14b484d4d249c82b889bab3523f5df51fc5522e482279c2b0d99b6b55a
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3cdbdeddbb04d4382fdd85e848bbfbbcc01e3dfa25df1a96c7bc6a9d1f5bbd7f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_xworm_bytestring
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects bytestring present in unobfuscated xworm
Rule name:win_xworm_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:xworm
Create hunting rule
Author:jeFF0Falltrades
Rule name:xworm_kingrat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/14335/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments