MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d2d8c833ad15c1e8c63054d80e70973bc507eaa5c969e7e172768d49c5584e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d2d8c833ad15c1e8c63054d80e70973bc507eaa5c969e7e172768d49c5584e8
SHA3-384 hash: 7402e559cfad87b9c82ce1aebddec23e1cd55afd26bcd3218065ca3013ae612503482e5b599070901e6775e5bee325ca
SHA1 hash: 92918fe63c1f672d3d5943e3dab91a1ddee08fee
MD5 hash: d4a2267204d22a676626e22fb46a10be
humanhash: queen-robert-batman-cold
File name:d4a2267204d22a676626e22fb46a10be.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:3'384'590 bytes
First seen:2024-02-06 07:51:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 75e9596d74d063246ba6f3ac7c5369a0 (8 x DCRat, 5 x PythonStealer, 4 x CoinMiner)
ssdeep 98304:FsRuykaattW6MhZY5Bg99ojRpB1YQGLSg:mQVttW6KZeg4VX19GF
Threatray 32 similar samples on MalwareBazaar
TLSH T127F53312FCC2D4B2C26246322A169B61657D7E102B674FEBB3D42A6DFC212D27731F91
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/474805/
Detection(s):
Win.Dropper.njRAT-9986242-0
Create hunting rule

Win.Dropper.Nanocore-9986456-0
Create hunting rule

Win.Malware.Bladabindi-10008357-0
Create hunting rule

Win.Packed.Babar-10012967-0
Create hunting rule

Win.Packed.Bladabindi-10017056-0
Create hunting rule

Win.Malware.Zenpak-10017873-0
Create hunting rule

Win.Malware.Zusy-10017928-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm fingerprint installer lolbin overlay packed packed packed setupapi sfx shdocvw shell32 xpack xworm
Link:
https://www.filescan.io/uploads/65c1e52575224709405bd79c/reports/f79b44d9-04ee-4c1f-8c45-8cee7aec48c3/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/3d2d8c833ad15c1e8c63054d80e70973bc507eaa5c969e7e172768d49c5584e8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/55553e8f-186c-41c4-92ac-d3c68d51ecdd
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1387349
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3d2d8c833ad15c1e8c63054d80e70973bc507eaa5c969e7e172768d49c5584e8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d2d8c833ad15c1e8c63054d80e70973bc507eaa5c969e7e172768d49c5584e8/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2024-02-05 18:22:45 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=huwyzaz22fob5dddavgybzyjoo6fa7vklslj47qxe5unjhcvqtua._file
Verdict:
malicious
Similar samples:
0a613705ceebf383ab71a0737b60833fa0e89c22d775c1d6cca04a926e88ca29
XWorm
10a0cd35d770302a11a9304bfb4327a380f19e9814a094b0ac5d0753bd6ba3da
XWorm
1d594311e4d7dae3812674927df0fdf132fb5ab2d9613b445777282f7a3ee170
XWorm
1e44d81797cf4c1f833671a395282c00d90667d8220d7f1c6fef35c500161363
XWorm
31fb4e3de00fdb16562c1b03088df5245e45a49fb3646c90f1e5df0e9bc0acd0
XWorm
eac27ea606e7f61b9c1a0467212b1adcfe01041dc8885a5d3220509b9b812824
XWorm
+ 22 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence themida trojan
Link:
https://tria.ge/reports/240206-jqdr3schcn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/d78243c1-3e32-413d-879d-4b79499ff398/
SH256 hash:
3d2d8c833ad15c1e8c63054d80e70973bc507eaa5c969e7e172768d49c5584e8
MD5 hash:
d4a2267204d22a676626e22fb46a10be
SHA1 hash:
92918fe63c1f672d3d5943e3dab91a1ddee08fee
Link:
https://www.unpac.me/results/d78243c1-3e32-413d-879d-4b79499ff398/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3d2d8c833ad1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d2d8c833ad15c1e8c63054d80e70973bc507eaa5c969e7e172768d49c5584e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe 3d2d8c833ad15c1e8c63054d80e70973bc507eaa5c969e7e172768d49c5584e8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2757149/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/474805/

Comments