MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 4e90fa3f4197c83ee858b522e2a99a8145da5e0f972f06a9b825e4a2781dc550. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
XWorm
Vendor detections: 17
| SHA256 hash: | 4e90fa3f4197c83ee858b522e2a99a8145da5e0f972f06a9b825e4a2781dc550 |
|---|---|
| SHA3-384 hash: | add53d19d7f947e915556f6c8565f7ceb0f0b861b10792d7029291c6fb3e954a369064e35ad072f7b5d3ed767813847c |
| SHA1 hash: | a8873506b638d567ff54e068ac312e3f081ab0cd |
| MD5 hash: | 8ea54a686d9f786351c7847d4b72e9f5 |
| humanhash: | eight-lemon-tango-comet |
| File name: | Onimai 1.7.1.exe |
| Download: | download sample |
| Signature | XWorm |
| File size: | 8'323'072 bytes |
| First seen: | 2025-06-25 21:46:15 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger) |
| ssdeep | 196608:VUcwti7TQlV/h/3a7fav6ehXkSIQo6uGO+Z8dWZehBFpQS/DGZ:3wtQQlhhC752kSVQ+xZehz+ED0 |
| TLSH | T1FD86339686EA575FD43E8C7D7C17EE1290EA64B0FE30430AC550F70D6C89D8C8FAA586 |
| TrID | 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) |
| Magika | pebin |
| dhash icon | 289c3cdcd531a6ea (1 x XWorm) |
| Reporter |  malwareanalayser |
| Tags: | exe xworm |
Intelligence
File Origin
# of uploads :
1
# of downloads :
565
Origin country :
USVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4e90fa3f4197c83ee858b522e2a99a8145da5e0f972f06a9b825e4a2781dc550.zip
Verdict:
Malicious activity
Analysis date:
2025-04-09 12:35:17 UTC
Tags:
arch-exec pastebin xworm
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Verdict:
Malicious
Score:
99.9%
Tags:
infosteal vmdetect quasar emotet
Result
Verdict:
Malware
Maliciousness:
Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Loading a suspicious library
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
entropy lolbin obfuscated packed packed packer_detected remote vbnet venomrat
Verdict:
Malicious
Labled as:
Backdoor.Marte.VenomRAT.Generic
Malware family:
Mimikatz
Verdict:
Malicious
Score:
100%
Verdict:
Malware
File Type:
PE
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable PE (Portable Executable) Win 32 Exe x86
Threat name:
ByteCode-MSIL.Backdoor.MarteVenomRAT
Status:
Malicious
First seen:
2025-04-03 03:29:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
61
AV detection:
20 of 24 (83.33%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
xworm
Score:
10/10
Tags:
family:quasar family:xworm persistence rat spyware trojan
Behaviour
Enumerates system info in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Detect Xworm Payload
Quasar RAT
Quasar family
Quasar payload
Xworm
Xworm family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
4e90fa3f4197c83ee858b522e2a99a8145da5e0f972f06a9b825e4a2781dc550
MD5 hash:
8ea54a686d9f786351c7847d4b72e9f5
SHA1 hash:
a8873506b638d567ff54e068ac312e3f081ab0cd
SH256 hash:
9a7f79124ef7e588569d0496090eea07ad5bbab9d16a73d61deec6bf59a3fddb
MD5 hash:
30a26f4ae1565e83072f12ee667bf4b8
SHA1 hash:
7b5dbd0068585ee4dc1f5d855b68071e2f41f758
SH256 hash:
d24a538a3e127a55e92735dde553a9cf44da42f7f6a9ba59d267a88b13fd85de
MD5 hash:
2d3b17e3a7dd2febc7fa9a011355fbd8
SHA1 hash:
7bc605ec4ef0ee3d78e08dfe30b91c60e5563731
Detections:
win_asyncrat_w0
QuasarRAT
cn_utf8_windows_terminal
malware_windows_xrat_quasarrat
MAL_QuasarRAT_May19_1
Vermin_Keylogger_Jan18_1
win_quasarrat_j2
asyncrat
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
MALWARE_Win_QuasarStealer
SH256 hash:
25c39f91f737d80040c72c9e3f95db0fece1c9653f501828adc16cfb1ec59d26
MD5 hash:
3956130e36754f184a0443c850f708f8
SHA1 hash:
4874cd51b0fa5652ed84e3b0c123bee05dcdffc8
SH256 hash:
3f6df47a655908cc3f91aebd4a93667a6fe1a96968c50a8c1bfee1e5a120f87f
MD5 hash:
8de0a33d7203542c7397e32c0488c355
SHA1 hash:
7a481e5b5130ae37b295d3167cbdfecf36fe3370
SH256 hash:
fea2c5634555d29fbae098d6ea7ddab927b25d4ce68b4d877aa35ff3da7e9e51
MD5 hash:
42ace4b57a5646b62d838d573cbe4cdb
SHA1 hash:
84db9b7e74852befe3f91805bbf959df6867d4ba
SH256 hash:
03e75032981fd6152f4d9ee18d321bf553f9191f254f326de87b9ad0af0b8ced
MD5 hash:
163c08c9333279df7bc4788cf53a0990
SHA1 hash:
5e0d782bd99a3123ce105208194ba9f25a1f1fe5
SH256 hash:
6ae23e848531c6d67327071e994f65b37b8efce27e4e3e1b53d96a2d3a1d2f2f
MD5 hash:
ffc0cd23ffa6929d90868d8f7de133b3
SHA1 hash:
d3ec28869d3b26d37746d15abf34f2e6e77e1fed
SH256 hash:
63e31e6fe6e81f8852d5beacbc32d440ad65b64f9bd53d2d3f308fef736d049d
MD5 hash:
2f2a51caedce0a10e771a612e0e621fe
SHA1 hash:
8a784cdafd9b0d6a75a15e8891da3fdb376df324
SH256 hash:
ac926c92ccfc3789a5ae571cc4415eb1897d500a79604d8495241c19acdf01b9
MD5 hash:
8610f4d3cdc6cc50022feddced9fdaeb
SHA1 hash:
4b60b87fd696b02d7fce38325c7adfc9e806f650
SH256 hash:
38395717f48e1e64bd29c6cb5df11349f011cae5f9fce0264b53252d60cdd191
MD5 hash:
38be3b238310387bb5fa85a999326277
SHA1 hash:
b927071b902b777cda7e52a6f79af9cba1c62fdc
SH256 hash:
2130c7489f5a5e21812c1eab37dc4903b901861a2d545aa607555be269091afd
MD5 hash:
b464fc896b14bfa34f608da53856e999
SHA1 hash:
55568eecc97895cad49a42bffe757e3588c5313c
Detections:
win_agent_tesla_w1
SH256 hash:
60b02f99e49572e8403cf78b9c3a1ddc79b201b2a30075193630b58acd3e9dbc
MD5 hash:
7e372b36342143665ef2dfe9074d9052
SHA1 hash:
fdab24ba97a61d6f1870d47d1b6f60b308cb30dc
SH256 hash:
80678203bd0203a6594f4e330b22543c0de5059382bb1c9334b7868b8f31b1bc
MD5 hash:
ff34978b62d5e0be84a895d9c30f99ae
SHA1 hash:
74dc07a8cccee0ca3bf5cf64320230ca1a37ad85
SH256 hash:
2570cbe12e3f6c177362eaad630b42db3114c2bb74099a0baa2d3abd6bcb5303
MD5 hash:
2e02f737baabda557d62c88443ae7c01
SHA1 hash:
a4f3a6a3b7c5d371474fbb9a4d51f0e75ecc0927
SH256 hash:
3a4ed9b3e4b5d706767ef614b52836250e8abfadb7b8e30e3706c2eb9d1c45e3
MD5 hash:
b0f2e37dc0fbe6cf01672547f9e56e5b
SHA1 hash:
2673eb1ab737217e0dc63101d697697c82547185
SH256 hash:
cb1d59fd79a412b1b05a27b32c342cbc85f018a9f1e1d67b43ebe87e43fec0d1
MD5 hash:
2ddc54871ff84b3692ad11ba4a5ff771
SHA1 hash:
c5310fea5760851117ec68b66363f65d5fae06a3
SH256 hash:
c4494b603ecb322627959b2cd782400405a58051229bd09b108861415b1845aa
MD5 hash:
f0bf68ced49e25d46f470d063b9b2532
SHA1 hash:
5826195d195ba3317b22fb726e60231e800571ec
SH256 hash:
dd7eda88da0e3843202e51ba2cedc4412a566355c0193b4c781d307d3d1e5a4e
MD5 hash:
6e970809dfb2a09768bdc1f90ba138e1
SHA1 hash:
c7d2624aff1f91641cf2bb0fae0ceb109097ca6c
SH256 hash:
8d1c36b6dced0b1315e71303ef205dbd01d157a4add72d874825e0f26c529aa5
MD5 hash:
e3306bf4a03b415eeaf5e3038245146c
SHA1 hash:
7c1287fb75cf863bf61d315a5dc6ac21bc224584
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
SH256 hash:
9dddb3c2958a276f6b6afd9fade11cca191e2f0635f29a39718c60f8f278a4c3
MD5 hash:
81930cfe170acd3a8e7498fd706a93c9
SHA1 hash:
e1868f03638b3b94027afe2c4f1cda84d39c1054
SH256 hash:
8ce541fab9d6334a97b6981e2ff1a72aa7979df913e93cb5be1536de0667cc5d
MD5 hash:
ae3a2648bf76a4dfc83d5e0dcb68f3d4
SHA1 hash:
9c33e130e4f071f700321312317d0d66b2b3d8a4
SH256 hash:
b64939bfda95e80b5d274c2bac4307f90d8fb741d72fd3e994b2e441302ab576
MD5 hash:
c7abd5cc461aebcc354575a09c626ce8
SHA1 hash:
713e071327785a81fa7ab5197448219e963ccf91
SH256 hash:
570a437dea0271d1d5c8b7d6a408b0b2635bdb0e8b8d5051878f3e7fca087f89
MD5 hash:
2c39a53a61168c8a7a9f53ebdad6137a
SHA1 hash:
b10ac8325cd72c7a9018af806d75739ab862b4d8
SH256 hash:
50a1a1a79dc86fcfb8b51249b5325a10dd93d193c52999cf6775d25030a4e606
MD5 hash:
5f6a2f17f4e792600a13e3771d5ca5ff
SHA1 hash:
e411b8e51b201c5f389c2388d26735c1e89b3f6f
SH256 hash:
842e09959084eda733aab1a5354d7af79e29594f4d8b91c8792103e5c755ed9b
MD5 hash:
e136924bb4051a462ad90bd14cb0ba41
SHA1 hash:
8cfeb4034766ce06f9216b1872703015e8ea0e09
SH256 hash:
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc
MD5 hash:
de69bb29d6a9dfb615a90df3580d63b1
SHA1 hash:
74446b4dcc146ce61e5216bf7efac186adf7849b
SH256 hash:
1031bb74599faf654ed6ca1712020b4adcdbab69d5671c6167881da34c6faa2a
MD5 hash:
47b9a9dad455fc991592f7e98df26b05
SHA1 hash:
feadba8c25a3edaeb762b95f6ea3fd6d7120b17a
SH256 hash:
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
MD5 hash:
195ffb7167db3219b217c4fd439eedd6
SHA1 hash:
1e76e6099570ede620b76ed47cf8d03a936d49f8
SH256 hash:
bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
MD5 hash:
0bd34aa29c7ea4181900797395a6da78
SHA1 hash:
ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
SH256 hash:
21871f410393d8711d8cd470fdb15362d7f625885844abe5fe7a83fea4702e0f
MD5 hash:
6d64de1b4000e0f99ab18603eefd377f
SHA1 hash:
727fde2765a03e150df932134a054e826e971d90
Detections:
MAL_QuasarRAT_May19_1
INDICATOR_EXE_Packed_Fody
SH256 hash:
966a474060a8aca70c73ba09d0b6fe2353035961c7107b9003ef879c010ff8da
MD5 hash:
02c63f568e598aad85dd401d7b26e82a
SHA1 hash:
2da9ec7612835e1f69d4a93aa2d49ec9bdff7f7c
SH256 hash:
e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42
MD5 hash:
0cf454b6ed4d9e46bc40306421e4b800
SHA1 hash:
9611aa929d35cbd86b87e40b628f60d5177d2411
SH256 hash:
0b1e0d8f87f557b52315d98c1f4727e539f5120d20b4ca9edba548983213fbb5
MD5 hash:
cc6f6503d29a99f37b73bfd881de8ae0
SHA1 hash:
92d3334898dbb718408f1f134fe2914ef666ce46
SH256 hash:
f3caf4cc84cdba002254180d37fca35aee22c4311057baba82ac81af0341601d
MD5 hash:
2246fa8f05a014ce2d349067165a2c29
SHA1 hash:
760d3b657f3b7e077d5a9e6409af542172b30159
Detections:
HKTL_NET_GUID_Quasar
SH256 hash:
d7a74254b48ed75c1457c6c6158cc9bbe367d741bd5da4d46a118724662b583f
MD5 hash:
5f151fafb1d7bbfee64ff52ca2222772
SHA1 hash:
1d27cfa608b501d498e57f286f4e15b34861a679
Detections:
win_asyncrat_w0
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
MAL_QuasarRAT_May19_1
HKTL_NET_GUID_Quasar
asyncrat
SH256 hash:
666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b
MD5 hash:
17ed442e8485ac3f7dc5b3c089654a61
SHA1 hash:
d3a17c1fdd6d54951141053f88bf8238dea0b937
SH256 hash:
a047eb3b6515d33de003fc9c4dfe3008015a2debd07df29eb9e6832b352129d6
MD5 hash:
ba0898e30d32faee60cc8bad8f84fc2a
SHA1 hash:
3fe17f95e46a835e642a315b7a4e64bc64e9151e
SH256 hash:
accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb
MD5 hash:
ecdfe8ede869d2ccc6bf99981ea96400
SHA1 hash:
2f410a0396bc148ed533ad49b6415fb58dd4d641
SH256 hash:
bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f
MD5 hash:
f09441a1ee47fb3e6571a3a448e05baf
SHA1 hash:
3c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde
SH256 hash:
1e02248fc226f1813f9a473aaf8dc9bd264101a6e371ddb73e145c0949834d47
MD5 hash:
4b874a3043d5e3c133f4c35863159638
SHA1 hash:
3a7d21700497d81c41193544b7ea913032d0aa82
SH256 hash:
37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf
MD5 hash:
c610e828b54001574d86dd2ed730e392
SHA1 hash:
180a7baafbc820a838bbaca434032d9d33cceebe
SH256 hash:
e9c4f5eed186cb129c527c4b8d67d163ea2f2396e9d8b96e30b5e7c12203ce84
MD5 hash:
fa9d0d182c63c49a4c567f7c1652b6e6
SHA1 hash:
55ddfbe80762c02f9a9c65809f9ec3ef8f7f2ccc
SH256 hash:
7eb217f0a0b9fe681de288511cb230708bb1c66e0c4a8553b9c0058632cfd20f
MD5 hash:
d88a6b04fdbc82c396db5a301e6bfdde
SHA1 hash:
d9201cfb07496f44ada3350f04c09cde5622ba4c
SH256 hash:
4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
MD5 hash:
e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 hash:
2242627282f9e07e37b274ea36fac2d3cd9c9110
SH256 hash:
c4f1183e4df24d8cfdc6237118f748ddff2cf1a71d77378440ece7e49366205f
MD5 hash:
6625eb32c21a4dec2adfcb6421d9cfc3
SHA1 hash:
2effa00d802690d693eb0d9f31d9b33840ba18d8
SH256 hash:
7da3f0e77c4dddc82df7c16c8c781fade599b7c91e3d32eefbce215b8f06b12a
MD5 hash:
944ce5123c94c66a50376e7b37e3a6a6
SHA1 hash:
a1936ac79c987a5ba47ca3d023f740401f73529b
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
SH256 hash:
bdb84aa16678189510def7c589851f6ea15e60ff977ea4c7c8c156504e6ac0ff
MD5 hash:
3d913aab7b1c514502c6a232e37d470e
SHA1 hash:
28ac2d1519ec5ea58b81fe40777645acc043b349
SH256 hash:
9429f05aa4ab1ef92a0237410ea103cffa406b071953d50f5e7a55496d517c02
MD5 hash:
1c2c6b341535661b7501f5c4a434a78e
SHA1 hash:
f45aefa816f86830bee41c0e5426e641d5af3c06
SH256 hash:
b460ee743b35bd8ab997d9039d218392d8dce68bfa64c2126aa1969b81b0a67e
MD5 hash:
cdf00ce54c37487b8e3751a4a31e8fee
SHA1 hash:
48ce7b5fe1fcf6373a8ce397f175410c5df952cc
Detections:
win_xworm_w0
win_mal_XWorm
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
MALWARE_Win_AsyncRAT
MALWARE_Win_XWorm
SH256 hash:
9a3a69fcfc764049743e1486a9d0acae990df5d7a4866b21e084c24fc73c708b
MD5 hash:
5937133856d4a32b13c44f9c9b937d92
SHA1 hash:
7e6d3c57077204809c2cf9ef80f0aa8fbac32ad8
Malware family:
XWorm
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.