MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5228cdea84a04c9047fd321efcde0b729a7b2fb036328f8c68c4379ea50c9f9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5228cdea84a04c9047fd321efcde0b729a7b2fb036328f8c68c4379ea50c9f9a
SHA3-384 hash: 29b524ffe884ed53c01de114d0d025c71ef8eec924d947f6f3cc86cf00ff585d8c3d0890212fd226266dabac6939b9d4
SHA1 hash: 5eacba2d117350cd3795b5007e8a04ef8366894f
MD5 hash: 5e8c000f5f5edc2a912d7f14a963182b
humanhash: orange-sodium-lima-oven
File name:playit.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:2'789'376 bytes
First seen:2025-10-16 21:25:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'795 x AgentTesla, 19'693 x Formbook, 12'274 x SnakeKeylogger)
ssdeep 49152:035n+Docm65+Jg0ZLXVZGIOBL1oayyi3Ccy1OD8E86wlzCHoc3+1NW:03A1mq+jZOIOBLaayyidFkleI9I
Threatray 1'120 similar samples on MalwareBazaar
TLSH T153D5B76AE3B1B319D9ED74F13D41AE3A0A6C18B5AB3813A7CD85F2034657C78A07E513
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
147.185.221.180:30787

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
147.185.221.180:30787 https://threatfox.abuse.ch/ioc/1616674/

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
playit.exe
Verdict:
Suspicious activity
Analysis date:
2025-10-16 18:32:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4f1287c8-ba21-4ce9-9898-7247696b638b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33126/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f0f9090cffb324429859b0
Tags:
autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the system32 directory
Creating a file
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Creating a window
Searching for the window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Connection attempt to an infection source
Adding an exclusion to Microsoft Defender
Enabling a "Do not show hidden files" option
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
babel obfuscator confuser dotfuscator obfuscated obfuscated packed packed packer_detected spices.net vbnet yano
Link:
https://www.filescan.io/uploads/68f162e3057c46a471d02cde/reports/4146b2f7-f8b4-4dd0-8e92-2dd19fc5c962/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/5228cdea84a04c9047fd321efcde0b729a7b2fb036328f8c68c4379ea50c9f9a
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-16T11:14:00Z UTC
Last seen:
2025-10-16T11:22:00Z UTC
Hits:
~10
Detections:
Backdoor.Agent.TCP.C&C Trojan.Win32.Shellcode.sb Trojan.MSIL.Donut.sb Trojan.Win32.Agent.sb Trojan.MSIL.Dnoper.sb PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/5228cdea84a04c9047fd321efcde0b729a7b2fb036328f8c68c4379ea50c9f9a/results?tab=lookup
Malware family:
ModernLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd4e969c-ab8c-45cf-8d66-ce611b06a8ef
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1796883
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
Changes memory attributes in foreign processes to executable or writable
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1796883 Sample: playit.exe Startdate: 16/10/2025 Architecture: WINDOWS Score: 100 111 tse1.mm.bing.net 2->111 113 mm-mm.bing.net.trafficmanager.net 2->113 115 7 other IPs or domains 2->115 133 Found malware configuration 2->133 135 Malicious sample detected (through community Yara rule) 2->135 137 Antivirus detection for dropped file 2->137 139 17 other signatures 2->139 15 playit.exe 4 2->15         started        19 explorer.exe 2->19         started        22 Explorer.EXE 2->22         started        signatures3 process4 dnsIp5 105 C:\Windows\System32\MRABDALLH.exe, PE32 15->105 dropped 107 C:\Users\user\AppData\Local\Temp\playit.exe, PE32+ 15->107 dropped 109 C:\Users\user\AppData\...\playit.exe.log, CSV 15->109 dropped 125 Drops executables to the windows directory (C:\Windows) and starts them 15->125 127 Binary or sample is protected by dotNetProtector 15->127 24 MRABDALLH.exe 2 3 15->24         started        28 playit.exe 2 15->28         started        119 150.171.27.12, 443, 49768, 49798 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->119 129 System process connects to network (likely due to code injection or exploit) 19->129 131 Query firmware table information (likely to detect VMs) 19->131 file6 signatures7 process8 dnsIp9 93 C:\Users\user\AppData\Roaming\3zws0piu.exe, PE32 24->93 dropped 161 Antivirus detection for dropped file 24->161 163 Multi AV Scanner detection for dropped file 24->163 165 Changes memory attributes in foreign processes to executable or writable 24->165 167 6 other signatures 24->167 31 RuntimeBroker.exe 24->31 injected 34 powershell.exe 23 24->34         started        123 api.playit.gg 172.66.168.209, 443, 49718, 49719 CLOUDFLARENETUS United States 28->123 36 conhost.exe 28->36         started        file10 signatures11 process12 signatures13 197 Injects code into the Windows Explorer (explorer.exe) 31->197 199 Writes to foreign memory regions 31->199 38 explorer.exe 15 27 31->38 injected 201 Loading BitLocker PowerShell Module 34->201 43 conhost.exe 34->43         started        process14 dnsIp15 121 147.185.221.180, 30787 SALSGIVERUS United States 38->121 91 C:\Users\user\AppData\Local\...xplorer.EXE, PE32+ 38->91 dropped 155 Benign windows process drops PE files 38->155 157 Uses schtasks.exe or at.exe to add and modify task schedules 38->157 159 Drops PE files with benign system names 38->159 45 3zws0piu.exe 38->45         started        49 qqeqrm1c.exe 38->49         started        51 3zws0piu.exe 38->51         started        53 schtasks.exe 38->53         started        file16 signatures17 process18 file19 99 C:\Users\user\AppData\Roaming\qqeqrm1c.exe, PE32 45->99 dropped 181 Antivirus detection for dropped file 45->181 183 Multi AV Scanner detection for dropped file 45->183 185 Changes memory attributes in foreign processes to executable or writable 45->185 55 RuntimeBroker.exe 45->55 injected 58 powershell.exe 45->58         started        101 C:\Users\user\AppData\Roaming\2km1hemg.exe, PE32 49->101 dropped 187 Creates multiple autostart registry keys 49->187 189 Writes to foreign memory regions 49->189 191 Allocates memory in foreign processes 49->191 60 powershell.exe 49->60         started        103 C:\Users\user\AppData\Roaming\xootsiui.exe, PE32 51->103 dropped 193 Adds a directory exclusion to Windows Defender 51->193 195 Creates a thread in another existing process (thread injection) 51->195 62 powershell.exe 51->62         started        64 conhost.exe 53->64         started        signatures20 process21 signatures22 147 Injects code into the Windows Explorer (explorer.exe) 55->147 149 Writes to foreign memory regions 55->149 151 Creates a thread in another existing process (thread injection) 55->151 66 explorer.exe 55->66         started        153 Loading BitLocker PowerShell Module 58->153 70 conhost.exe 58->70         started        72 conhost.exe 60->72         started        74 conhost.exe 62->74         started        process23 dnsIp24 117 ax-0003.ax-msedge.net 150.171.28.12, 443, 49734 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 66->117 141 System process connects to network (likely due to code injection or exploit) 66->141 143 Query firmware table information (likely to detect VMs) 66->143 76 3zws0piu.exe 66->76         started        80 qqeqrm1c.exe 66->80         started        82 schtasks.exe 66->82         started        signatures25 process26 file27 95 C:\Users\user\AppData\Roaming\p1110bzn.exe, PE32 76->95 dropped 169 Changes memory attributes in foreign processes to executable or writable 76->169 171 Creates multiple autostart registry keys 76->171 173 Writes to foreign memory regions 76->173 175 Adds a directory exclusion to Windows Defender 76->175 84 powershell.exe 76->84         started        97 C:\Users\user\AppData\Roaming\tkfrdrvn.exe, PE32 80->97 dropped 177 Allocates memory in foreign processes 80->177 179 Creates a thread in another existing process (thread injection) 80->179 87 conhost.exe 82->87         started        signatures28 process29 signatures30 145 Loading BitLocker PowerShell Module 84->145 89 conhost.exe 84->89         started        process31
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5228cdea84a04c9047fd321efcde0b729a7b2fb036328f8c68c4379ea50c9f9a
Verdict:
inconclusive
YARA:
15 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.67 Win 32 Exe x86
Link:
https://app.malva.re/file/5e8c000f5f5edc2a912d7f14a963182b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5228cdea84a04c9047fd321efcde0b729a7b2fb036328f8c68c4379ea50c9f9a/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/5228cdea84a04c9047fd321efcde0b729a7b2fb036328f8c68c4379ea50c9f9a
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2025-10-16 13:54:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kium32ueubgjar75gippzxqloknhwl5qgyzi7ddiyq3z5jimt6na._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
donut_injector
Create hunting rule
Similar samples:
1ceb781c4fa2be6d9b5eaa8075c7ab21a9de07b7eaaaa0a77354f9877755661a
XWorm
5dd9cbc64e7414cc479191cbef353c9456d75579d6453157b5f696edeba2d8b5
XWorm
6a86b3beed4068b73085adefe5be7d97acf1bbb349442243f6ab304641193bb3
XWorm
776e3442aaaf2c3e01cb2b9030be776ec31aac9305e5795c5002230820f2b4c4
XWorm
9ea72b870985f4db6233a9f0e882456fd18ef34bc70b69db35aba14a966ad5c5
XWorm
c6e92bc1395d1865f41e0d10256f7de0fd6913a07c414b2489a191227b3730f6
XWorm
d7adfc9774a6f8f2e40da98960bbaaefd6851a362ed0953281df63a449c9bff1
XWorm
ebadac7a2fcf13d135c59215056896a5ebe91b442edd6acf12110c357956a143
XWorm
error
XWorm
f3f98734dec69010e88c027fd37ee6dc9ff3d35afd200c6bc95c6ddba649eb91
XWorm
fc791cea301af15a8c46dfd5ddf048fbc52cb694d5e9118c41363675823a328b
XWorm
+ 1'110 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:xworm adware defense_evasion execution loader persistence ransomware rat spyware trojan
Link:
https://tria.ge/reports/251016-z9y55atry6/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Boot or Logon Autostart Execution: Active Setup
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Detects DonutLoader
DonutLoader
Donutloader family
Modifies visibility of hidden/system files in Explorer
Xworm
Xworm family
Malware Config
C2 Extraction:
147.185.221.180:30787
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f17e3a7a-0b08-4827-8f45-c008dbfa0e74
Unpacked files
SH256 hash:
5228cdea84a04c9047fd321efcde0b729a7b2fb036328f8c68c4379ea50c9f9a
MD5 hash:
5e8c000f5f5edc2a912d7f14a963182b
SHA1 hash:
5eacba2d117350cd3795b5007e8a04ef8366894f
Link:
https://www.unpac.me/results/b336805e-89b1-482b-b55d-a6e99ba0171f/
SH256 hash:
e6d32b7418c6cbc3190c1924efce79a9a952f48e9fa25c0a1e5fd865217ca30f
MD5 hash:
b3ba07538c07ace20079c9c86dc7e600
SHA1 hash:
3c8cddd2517f3dd9d56049388445551b911edd37
Link:
https://www.unpac.me/results/b336805e-89b1-482b-b55d-a6e99ba0171f/
SH256 hash:
25d28af760f5675f74eccf8b26c3a7f976d0a17e1edcb7059eaf7bca6e6e1407
MD5 hash:
16146b3e67528c09736379d3aaf76105
SHA1 hash:
2b5c41fe687eeae9c4c91c9fe3adc6f263a533f6
Detections:
INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
INDICATOR_EXE_Packed_Goliath
Create hunting rule
INDICATOR_EXE_Packed_Babel
Create hunting rule
Link:
https://www.unpac.me/results/b336805e-89b1-482b-b55d-a6e99ba0171f/
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5228cdea84a0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5228cdea84a04c9047fd321efcde0b729a7b2fb036328f8c68c4379ea50c9f9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Babel
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Babel
Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with dotNetProtector
Rule name:INDICATOR_EXE_Packed_Goliath
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Goliath
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/33126/

Comments