MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4459d95c0493d640ecc9453cf6a4f2b7538b1a7b95032f70803fc726b8e40422. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4459d95c0493d640ecc9453cf6a4f2b7538b1a7b95032f70803fc726b8e40422
SHA3-384 hash: 8ddf21f0bb8fca7e61eac85e4040d6797ee50506004245987a6ffb7e711e5ab007ff12acca15b205fe089ff3039acb01
SHA1 hash: a47f3baff8d643de3ea02eee673a6f144b9e4ced
MD5 hash: 26d3b37eea33119ad75568912b9ddf37
humanhash: network-football-kentucky-ceiling
File name:XClient_2.bin
Download: download sample
Signature XWorm
Create hunting rule
File size:38'400 bytes
First seen:2023-08-30 06:58:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 768:9Plh9TTg7TFGYJ2bjB61216LH/FP192N3OphirO:9Nh9/gzi16McLfFt92ZOpCO
Threatray 183 similar samples on MalwareBazaar
TLSH T159034B483BE58311E6FD6BF02973A1054579E90B9913EB5F0CD489DA2F337818E427E6
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter JAMESWT_WT
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
XClient.exe
Verdict:
Malicious activity
Analysis date:
2023-08-16 17:00:24 UTC
Tags:
xworm remote ransomware
Link:
https://app.any.run/tasks/b9275944-39fe-42cb-9eae-6b2e05f0892f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445252/
Detection(s):
Win.Packed.njRAT-10002074-1
Create hunting rule

Win.Packed.Msilzilla-10002982-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.XWorm.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Launching a process
Creating a process with a hidden window
Creating a window
Enabling the 'hidden' option for recently created files
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm cmd explorer greyware lolbin masquerade packed replace schtasks
Link:
https://www.filescan.io/uploads/64eee8b8b3b7d7c782d12aa7/reports/eb5fa7fc-99c9-4b37-ac00-df3d0d44b4be/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/4459d95c0493d640ecc9453cf6a4f2b7538b1a7b95032f70803fc726b8e40422
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d426570-9232-4229-8d3d-6d3919b24079
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1300207
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4459d95c0493d640ecc9453cf6a4f2b7538b1a7b95032f70803fc726b8e40422/
Threat name:
ByteCode-MSIL.Backdoor.XWorm
Create hunting rule
Status:
Malicious
First seen:
2023-08-30 06:57:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=irm5sxaespleb3gjiu6pnjhsw5jywgt3subs64eah7dsnoheaqra._file
Verdict:
malicious
Similar samples:
272020147f63f7311c238f51c501bee8be102f5b3b3136e4a10997d8eddad770
XWorm
2eb02ce78ef2d03967bd2bd9bfca795a49c769120a65515234318bafe2106e50
XWorm
63d46c697ee100fbe7388416033ea0509130e12f144decb1a913e3dc8b82f6ba
XWorm
73accd4c8a54dbd0aee9321d98a00ba096ebfddd006c7a21f9cc1f050e2a1e61
XWorm
777a742286d0f7283f50cffe654e8d7c34f14f261fc1e6a120289f52b28e64d3
XWorm
820bb1a31f421b90ea51efc3e71cc720c8c2784fb1e882e732e8fafb8631a389
XWorm
ba82a9c832160874c537f1907f246ed9ae136c2c42ed07125c6761c2973a47d1
XWorm
cd06c5cab073f32aad0de1af7ca1356d3a7ca18858d54981e1156ebe17939fce
XWorm
+ 173 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm persistence rat trojan
Link:
https://tria.ge/reports/230830-hr21maac83/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Executes dropped EXE
Xworm
Malware Config
C2 Extraction:
16.ip.gl.ply.gg:15179
Unpacked files
SH256 hash:
4459d95c0493d640ecc9453cf6a4f2b7538b1a7b95032f70803fc726b8e40422
MD5 hash:
26d3b37eea33119ad75568912b9ddf37
SHA1 hash:
a47f3baff8d643de3ea02eee673a6f144b9e4ced
Detections:
XWorm
Create hunting rule
Link:
https://www.unpac.me/results/390f703e-a28f-406d-a269-e74935be6fce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4459d95c0493d640ecc9453cf6a4f2b7538b1a7b95032f70803fc726b8e40422

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:win_delivery_check_g0
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/445252/

Comments