MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 561fe9df53ec5781a7906b2051cc7d09dc439ee133f605d46f5856dc316644e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 561fe9df53ec5781a7906b2051cc7d09dc439ee133f605d46f5856dc316644e7
SHA3-384 hash: f3a68c2f34764f533f344c15dbd241abe339d3f2456112bf1ee1bdcdc2c71536ae53c8f02384494874d42a0278827b81
SHA1 hash: 0b39cef40346cba2d177964a5bd58e398a3631b0
MD5 hash: b993bf34e62706f79de7bf0134d63acd
humanhash: black-muppet-white-floor
File name:Quote-LPO 67468298.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:726'016 bytes
First seen:2025-07-31 07:45:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:oZRtusRdGe+4S2Pe+P2CB7V3/wwR6AT1hqaJTEjhHCFD9UyYazGX:VsRoQBZP2CBV/d7RT6IhY1
Threatray 68 similar samples on MalwareBazaar
TLSH T123F4E01C6288C005C6BE8377A5B2D53543BABE07F974C36D0AD9ACEF3DB1B01594936A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
45.148.18.44:57489

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.148.18.44:57489 https://threatfox.abuse.ch/ioc/1562791/

Intelligence

File Origin
# of uploads :
1
# of downloads :
47
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_561fe9df53ec5781a7906b2051cc7d09dc439ee133f605d46f5856dc316644e7.exe
Verdict:
Malicious activity
Analysis date:
2025-07-31 07:46:30 UTC
Tags:
auto-sch-xml pastebin
Link:
https://app.any.run/tasks/1b007579-6426-49f1-aba8-b0f31a2ec845

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/17938/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688b1f2a0b4775fb2133d651
Tags:
keylog micro spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Setting a global event handler for the keyboard
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/561fe9df53ec5781a7906b2051cc7d09dc439ee133f605d46f5856dc316644e7
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bcd9e845-465e-4246-9f0d-d8282b13ecde
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1747625
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1747625 Sample: Quote-LPO 67468298.exe Startdate: 31/07/2025 Architecture: WINDOWS Score: 100 47 pastebin.com 2->47 59 Suricata IDS alerts for network traffic 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 67 14 other signatures 2->67 8 Quote-LPO 67468298.exe 7 2->8         started        12 eyxZRCqYycvZ.exe 5 2->12         started        signatures3 65 Connects to a pastebin service (likely for C&C) 47->65 process4 file5 39 C:\Users\user\AppData\...\eyxZRCqYycvZ.exe, PE32 8->39 dropped 41 C:\Users\user\AppData\Local\...\tmpFAB2.tmp, XML 8->41 dropped 43 C:\Users\user\...\Quote-LPO 67468298.exe.log, ASCII 8->43 dropped 69 Adds a directory exclusion to Windows Defender 8->69 14 Quote-LPO 67468298.exe 16 3 8->14         started        19 powershell.exe 23 8->19         started        21 powershell.exe 23 8->21         started        23 schtasks.exe 1 8->23         started        71 Multi AV Scanner detection for dropped file 12->71 25 schtasks.exe 12->25         started        27 eyxZRCqYycvZ.exe 12->27         started        signatures6 process7 dnsIp8 49 45.148.18.44, 49688, 57489 OBE-EUROPEObenetworkEuropeSE Sweden 14->49 51 pastebin.com 104.20.29.150, 443, 49687 CLOUDFLARENETUS United States 14->51 45 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 14->45 dropped 53 Tries to steal Mail credentials (via file / registry access) 14->53 55 Tries to harvest and steal browser information (history, passwords, etc) 14->55 57 Loading BitLocker PowerShell Module 19->57 29 conhost.exe 19->29         started        31 WmiPrvSE.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        file9 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/561fe9df53ec5781a7906b2051cc7d09dc439ee133f605d46f5856dc316644e7
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.24 Win 32 Exe x86
Link:
https://app.malva.re/file/b993bf34e62706f79de7bf0134d63acd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/561fe9df53ec5781a7906b2051cc7d09dc439ee133f605d46f5856dc316644e7/
Verdict:
Malicious
Threat:
ByteCode-MSIL.Ransomware.Heuristic
Link:
https://tip.neiki.dev/file/561fe9df53ec5781a7906b2051cc7d09dc439ee133f605d46f5856dc316644e7
Threat name:
Win32.Backdoor.Xworm
Create hunting rule
Status:
Suspicious
First seen:
2025-07-31 07:45:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kyp6tx2t5rlydj4qnmqfdtd5bhoehhxbgp3alvdplblnymlgittq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
561fe9df53ec5781a7906b2051cc7d09dc439ee133f605d46f5856dc316644e7
XWorm
61b1d44b94172f79290fdd6e117b145944ca354d587ca201d060a10d16180631
XWorm
99d71c0bc33e95d7a229b32d3f55964f0e0b083fa189fa808b72e340f797b818
XWorm
9e621a704ce21860890b4fb94903908f66a6926e8cfc85a32615b241da33fd7d
XWorm
caac6296da90bd564851a40bf1df66a2abb7309252d9f37a61536049b05e058d
XWorm
error
XWorm
+ 58 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm collection discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250731-jlpc1sdq4x/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/53def577-3a4b-48c6-8244-7d674d0d526a
Unpacked files
SH256 hash:
561fe9df53ec5781a7906b2051cc7d09dc439ee133f605d46f5856dc316644e7
MD5 hash:
b993bf34e62706f79de7bf0134d63acd
SHA1 hash:
0b39cef40346cba2d177964a5bd58e398a3631b0
Link:
https://www.unpac.me/results/b937d8f2-b681-44d6-ae51-22dfb8843ee8/
SH256 hash:
662574d3c63959613703d39921f4712cbf209554cc6ac168a7721a07a289c622
MD5 hash:
1404aeaabcd13ad55fa94aa341fff3d9
SHA1 hash:
13625abd3fead8e3d7fcc732d4b44bf6ad28d9f6
Link:
https://www.unpac.me/results/b937d8f2-b681-44d6-ae51-22dfb8843ee8/
SH256 hash:
685d55b0b49e41e6ec7fba674e7786558e7f79750b04ce8156d98f1af2bd1533
MD5 hash:
f79cb587d90b13f0206d8a26607abea3
SHA1 hash:
4d7d448992a3a57d5e4723f03725138daca4ee41
Link:
https://www.unpac.me/results/b937d8f2-b681-44d6-ae51-22dfb8843ee8/
SH256 hash:
039a3aa3c8a2b18f36a90666549b663e1fde2d716222ed85af130ec1459dd9fb
MD5 hash:
1fa28107cf4975984f6e8049988a1e7f
SHA1 hash:
f0af253662fafec54a28f682e152976e06664b66
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b937d8f2-b681-44d6-ae51-22dfb8843ee8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/561fe9df53ec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/561fe9df53ec5781a7906b2051cc7d09dc439ee133f605d46f5856dc316644e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/17938/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments