MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e40a4f48a6143ff7ab5b87cb65babba42c5704e65f0002109249f1b50194be7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e40a4f48a6143ff7ab5b87cb65babba42c5704e65f0002109249f1b50194be7
SHA3-384 hash: 8e55d011f76709143e9889351ae1c4919feb3ffcfc64ea30faf9cb51c3b7f7903d48890b71ed4b60827349e673f7a31e
SHA1 hash: 478b6fc625d98ebe374400312bcea9b653085fdf
MD5 hash: fef6e5e8b1e932147a7268c35f478d42
humanhash: arkansas-winter-august-four
File name:SecuriteInfo.com.Trojan.DownLoader48.43240.12313.2666
Download: download sample
Signature XWorm
Create hunting rule
File size:97'792 bytes
First seen:2025-06-21 13:22:38 UTC
Last seen:2025-06-21 14:19:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 68 x LummaStealer, 61 x Rhadamanthys)
ssdeep 1536:jrae78zjORCDGwfdCSog013133/s5gNWPoW7yU1nT:JahKyd2n31nU5FPoWFnT
Threatray 1'339 similar samples on MalwareBazaar
TLSH T18DA3F896A2E410AAE4B717B45DF24523557278B85BB482AF21DDA27D0FB33C06072F0F
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon c42b324e4e122b94 (1 x XWorm, 1 x LummaStealer)
Reporter SecuriteInfoCom
Tags:exe xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
481
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
a4eba8fea147f214a12411a89ba39884225eb8e3421aa73ebd51d502397d364c.bin
Verdict:
Malicious activity
Analysis date:
2025-06-21 13:20:06 UTC
Tags:
delphi gcleaner loader inno installer autoit lumma stealer telegram auto generic amadey botnet autoit-loader python themida evasion quasar rat auto-reg
Link:
https://app.any.run/tasks/f2c95784-6fdc-4578-93ce-80ccd3e0e417

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10364/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader48.43240.12313.2666.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6856b345b06783b9ebd672e8
Tags:
asyncrat autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Creating a file
Launching a tool to kill processes
Forced shutdown of a system process
Unauthorized injection to a recently created process
Launching a file downloaded from the Internet
Unauthorized injection to a system process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context CAB cmd explorer installer lolbin microsoft_visual_cc powershell rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/6856b2883faf8fcd7d39d845/reports/5e62d4ac-7c7b-440b-b272-d8fa498aad3f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/4e40a4f48a6143ff7ab5b87cb65babba42c5704e65f0002109249f1b50194be7
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6ad29aca-4b85-4f9d-9967-5d1bea99dc44
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1719905
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell download and load assembly
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1719905 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 21/06/2025 Architecture: WINDOWS Score: 100 93 c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com 2->93 95 bitbucket.org 2->95 97 4 other IPs or domains 2->97 109 Suricata IDS alerts for network traffic 2->109 111 Found malware configuration 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 16 other signatures 2->115 14 SecuriteInfo.com.Trojan.DownLoader48.43240.12313.2666.exe 1 3 2->14         started        18 salie.exe 2->18         started        20 Client.exe 2->20         started        22 10 other processes 2->22 signatures3 process4 file5 91 C:\Users\user\AppData\...\6855ad5320b4c.vbs, ASCII 14->91 dropped 145 Creates multiple autostart registry keys 14->145 24 cmd.exe 3 2 14->24         started        147 Antivirus detection for dropped file 18->147 149 Multi AV Scanner detection for dropped file 18->149 signatures6 process7 process8 26 wscript.exe 1 24->26         started        29 conhost.exe 24->29         started        signatures9 123 Suspicious powershell command line found 26->123 125 Wscript starts Powershell (via cmd or directly) 26->125 127 Windows Scripting host queries suspicious COM object (likely to drop second stage) 26->127 129 Suspicious execution chain found 26->129 31 powershell.exe 7 26->31         started        process10 signatures11 151 Suspicious powershell command line found 31->151 153 Found suspicious powershell code related to unpacking or dynamic code loading 31->153 34 powershell.exe 14 25 31->34         started        38 conhost.exe 31->38         started        process12 dnsIp13 99 180.178.189.51, 49688, 80 GALAXY-AS-APGalaxyBroadbandPK Pakistan 34->99 101 bitbucket.org 104.192.142.25, 443, 49687 AMAZON-AESUS United States 34->101 117 Writes to foreign memory regions 34->117 119 Injects a PE file into a foreign processes 34->119 121 Loading BitLocker PowerShell Module 34->121 40 MSBuild.exe 4 34->40         started        signatures14 process15 file16 85 C:\Users\user\AppData\Roaming\XClient.exe, PE32 40->85 dropped 87 C:\Users\user\AppData\Roaming\Client.exe, PE32 40->87 dropped 43 XClient.exe 1 5 40->43         started        48 Client.exe 40->48         started        process17 dnsIp18 103 150.109.120.102, 15151, 49692 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN Singapore 43->103 89 C:\Users\user\AppData\Roaming\salie.exe, PE32 43->89 dropped 131 Antivirus detection for dropped file 43->131 133 Multi AV Scanner detection for dropped file 43->133 135 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->135 143 2 other signatures 43->143 50 powershell.exe 43->50         started        53 powershell.exe 43->53         started        55 powershell.exe 43->55         started        63 2 other processes 43->63 105 38.91.118.226, 49693, 5531 SPECTRUMLINKUS United States 48->105 137 Protects its processes via BreakOnTermination flag 48->137 139 Creates multiple autostart registry keys 48->139 141 Adds a directory exclusion to Windows Defender 48->141 57 powershell.exe 48->57         started        59 powershell.exe 48->59         started        61 powershell.exe 48->61         started        65 2 other processes 48->65 file19 signatures20 process21 signatures22 107 Loading BitLocker PowerShell Module 50->107 67 conhost.exe 50->67         started        69 conhost.exe 53->69         started        71 conhost.exe 55->71         started        73 conhost.exe 57->73         started        75 conhost.exe 59->75         started        77 conhost.exe 61->77         started        79 conhost.exe 63->79         started        81 conhost.exe 63->81         started        83 2 other processes 65->83 process23
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4e40a4f48a6143ff7ab5b87cb65babba42c5704e65f0002109249f1b50194be7
Verdict:
Malware
YARA:
5 match(es)
Tags:
CAB:COMPRESSION:LZX DeObfuscated Executable Obfuscated PE (Portable Executable) Scripting.FileSystemObject T1059.005 VBScript Win 64 Exe WScript.Network x64
Link:
https://app.malva.re/file/fef6e5e8b1e932147a7268c35f478d42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e40a4f48a6143ff7ab5b87cb65babba42c5704e65f0002109249f1b50194be7/
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-06-20 19:51:54 UTC
File Type:
PE+ (Exe)
Extracted files:
13
AV detection:
20 of 37 (54.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jzakj5ekmfb766vvxb6lmw5lxjbmk4comxyaaiijesprwuazjptq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
45ef3b581c01df73fb6b73597bc883f19d91f36be872f3131e9f065eec3ebe34
XWorm
929c57c5e16c2bd71552e988a550ee104d8d7df003b0320ec58c78b2a605209c
XWorm
bef702532a77c6dab9d3987af89efe946ea70688ad37ebf434f68a5b74bfad01
XWorm
cec3abe8f0fa6b6548e6a0fe7c639de31e966c9c3a36d9e68ea5f85e0bfbe3a9
XWorm
error
XWorm
+ 1'329 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/250621-qpefjsbm2t/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/91b73ade-bff1-4e3a-927a-8a90f3796df8
Unpacked files
SH256 hash:
4e40a4f48a6143ff7ab5b87cb65babba42c5704e65f0002109249f1b50194be7
MD5 hash:
fef6e5e8b1e932147a7268c35f478d42
SHA1 hash:
478b6fc625d98ebe374400312bcea9b653085fdf
Link:
https://www.unpac.me/results/05ae715b-105a-4736-8e13-507d06cbe81b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e40a4f48a6143ff7ab5b87cb65babba42c5704e65f0002109249f1b50194be7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe 4e40a4f48a6143ff7ab5b87cb65babba42c5704e65f0002109249f1b50194be7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3568926/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/10364/

Comments