MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 416a2a9c374574f8fcb7f90e775069e7d4606c0155f964886096e41f45d16548. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 416a2a9c374574f8fcb7f90e775069e7d4606c0155f964886096e41f45d16548
SHA3-384 hash: af30b5b4c8a6ff779b831522731e6f4b0e26d14d242282606eefe56f6e9a0c50ed91b7795a5b0799727237dcee321563
SHA1 hash: 2f3e1dcdd00790e1cf274151c4eec465524d60df
MD5 hash: 3c7a07fe113ba143f466e9a2f6a29917
humanhash: india-beryllium-network-purple
File name:416a2a9c374574f8fcb7f90e775069e7d4606c0155f964886096e41f45d16548
Download: download sample
Signature XWorm
Create hunting rule
File size:2'690 bytes
First seen:2024-09-24 10:03:30 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 48:8aT1rsz41/pLeNehMIWyD81gEXv3KaGYk:8a2clpLWTQD6vKZY
TLSH T14951021A23DDD335C376C63798AAE3414A31BC56E8535B6E11D092DC6C56304E836F6E
Magika lnk
Reporter JAMESWT_WT
Tags:bulletrdp-ru lnk xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.26476.PshHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.20221214.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.ShowMe.20221215.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f28e9a8aca58c2b2c70f4f
Tags:
Encryption Execution Network Stealth Generickd Obfuscate Corrupt Gumen Overt
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/416a2a9c374574f8fcb7f90e775069e7d4606c0155f964886096e41f45d16548/results/dashboard
Payload URLs
URL
File name
https://bulletrdp.ru/lpg.cmd
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd lolbin masquerade
Link:
https://www.filescan.io/uploads/66f28e9d949df385961f9f8d/reports/09f891f5-4733-4d2d-a1c1-8687987410be/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/416a2a9c374574f8fcb7f90e775069e7d4606c0155f964886096e41f45d16548
Result
Verdict:
MALICIOUS
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1516544
Signature
AI detected suspicious sample
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Curl Download And Execute Combination
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Uses the Telegram API (likely for C&C communication)
Very long command line found
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1516544 Sample: ha9wYxkNI7.lnk Startdate: 24/09/2024 Architecture: WINDOWS Score: 100 50 api.telegram.org 2->50 52 bulletrdp.ru 2->52 62 Suricata IDS alerts for network traffic 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Windows shortcut file (LNK) starts blacklisted processes 2->66 70 8 other signatures 2->70 10 cmd.exe 1 2->10         started        13 cmd.exe 1 2->13         started        signatures3 68 Uses the Telegram API (likely for C&C communication) 50->68 process4 signatures5 74 Windows shortcut file (LNK) starts blacklisted processes 10->74 76 Very long command line found 10->76 78 Suspicious command line found 10->78 15 cmd.exe 1 10->15         started        18 curl.exe 2 10->18         started        22 conhost.exe 1 10->22         started        24 conhost.exe 13->24         started        process6 dnsIp7 86 Windows shortcut file (LNK) starts blacklisted processes 15->86 88 Very long command line found 15->88 90 Suspicious command line found 15->90 26 powershell.exe 14 30 15->26         started        31 conhost.exe 15->31         started        33 cmd.exe 1 15->33         started        54 bulletrdp.ru 172.67.192.103, 443, 49707 CLOUDFLARENETUS United States 18->54 56 127.0.0.1 unknown unknown 18->56 46 C:\Users\user\fbi.cmd, ASCII 18->46 dropped file8 signatures9 process10 dnsIp11 58 api.telegram.org 149.154.167.220, 443, 49713 TELEGRAMRU United Kingdom 26->58 60 2.56.245.123, 3501, 49714 GBTCLOUDUS Germany 26->60 48 C:\Users\user\AppData\Roaming\SC.cmd, ASCII 26->48 dropped 80 Windows shortcut file (LNK) starts blacklisted processes 26->80 82 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->82 84 Suspicious powershell command line found 26->84 35 powershell.exe 37 26->35         started        38 powershell.exe 36 26->38         started        40 powershell.exe 28 26->40         started        file12 signatures13 process14 signatures15 72 Loading BitLocker PowerShell Module 35->72 42 conhost.exe 35->42         started        44 conhost.exe 38->44         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/416a2a9c374574f8fcb7f90e775069e7d4606c0155f964886096e41f45d16548/
Threat name:
Win32.Trojan.WinLnk
Create hunting rule
Status:
Malicious
First seen:
2024-09-23 03:46:47 UTC
File Type:
Binary
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ifvcvhbxiv2pr7fx7ehhoudj47kga3abkx4wjcdas3sb6rormvea._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/240924-l3x3lazgnl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/416a2a9c374574f8fcb7f90e775069e7d4606c0155f964886096e41f45d16548

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious
Rule name:SUSP_LNK_SmallScreenSize
Create hunting rule
Author:Greg Lesnewich
Description:check for LNKs that have a screen buffer size and WindowSize dimensions of 1x1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments