MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c9c8ee0fd56497f8d1662c9d9347211761e969ab2af67d2c02ccb8588519f6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c9c8ee0fd56497f8d1662c9d9347211761e969ab2af67d2c02ccb8588519f6e
SHA3-384 hash: 9d5e419a4c736cc6b261afdc3cb593cbe89bd7adfb0c690b036897c42ef85065f1ac0f49522a031be8fb875422ae15d1
SHA1 hash: ef24f4ffacf974b0d5e6a2cfb3859bff1bc73f9c
MD5 hash: 78fa179ebcbd001b575b3baa06ff3ab2
humanhash: diet-sad-social-mike
File name:wzcstatus.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:172'544 bytes
First seen:2024-06-16 23:15:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:+QAkRtA68fm3wKSDDJlPh+sy3+Q+FjYlbmh3XMo4XH0a3bJgpOd5mbHzzDaihksH:gEphwhDFlpbyOQgMsxX74X0arJo3H+i1
Threatray 81 similar samples on MalwareBazaar
TLSH T1C5F31212C35DD78BD35FCEF17864228013CF91227A3B5ECB2598D439FA6BAE0525A067
TrID 51.8% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
22.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.4% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter Chainskilabs
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
370
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
wzcstatus.exe
Verdict:
Malicious activity
Analysis date:
2024-06-16 23:14:01 UTC
Tags:
remote xworm
Link:
https://app.any.run/tasks/4f011ba0-ed5b-4787-acae-eac53399d265

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.27036.17742.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=666f73550f8138dd4eaa8788win7simulatehigh_evasion
Tags:
Banker Encryption Execution Network Stealth Msil Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Searching for synchronization primitives
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Setting browser functions hooks
Searching for the window
Сreating synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
asyncrat packed vbnet
Link:
https://www.filescan.io/uploads/666f723521581a92819d6b6b/reports/afa69fc7-fe16-4473-9ce2-8cff7b07c8d3/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5c9c8ee0fd56497f8d1662c9d9347211761e969ab2af67d2c02ccb8588519f6e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4181579b-c4bd-41ba-bcbd-d171f8d05786
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1458127
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1458127 Sample: wzcstatus.exe Startdate: 17/06/2024 Architecture: WINDOWS Score: 100 42 rentry.co 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 52 10 other signatures 2->52 9 wzcstatus.exe 6 2->9         started        signatures3 50 Connects to a pastebin service (likely for C&C) 42->50 process4 file5 32 C:\Users\user\Desktop\wzcsvc.exe, PE32+ 9->32 dropped 34 C:\Users\user\Desktop\wzcnetwork.exe, PE32 9->34 dropped 36 C:\Users\user\AppData\...\wzcstatus.exe.log, CSV 9->36 dropped 56 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 9->56 13 wzcsvc.exe 1 9->13         started        16 wzcnetwork.exe 14 3 9->16         started        signatures6 process7 dnsIp8 58 Antivirus detection for dropped file 13->58 60 Multi AV Scanner detection for dropped file 13->60 62 Machine Learning detection for dropped file 13->62 66 8 other signatures 13->66 19 lsass.exe 13->19 injected 22 dwm.exe 13->22 injected 24 winlogon.exe 13->24 injected 28 31 other processes 13->28 38 rentry.co 104.26.3.16, 443, 49705 CLOUDFLARENETUS United States 16->38 40 147.185.221.18, 36538, 49706, 49717 SALSGIVERUS United States 16->40 64 Uses schtasks.exe or at.exe to add and modify task schedules 16->64 26 schtasks.exe 1 16->26         started        signatures9 process10 signatures11 54 Writes to foreign memory regions 19->54 30 conhost.exe 26->30         started        process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5c9c8ee0fd56497f8d1662c9d9347211761e969ab2af67d2c02ccb8588519f6e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c9c8ee0fd56497f8d1662c9d9347211761e969ab2af67d2c02ccb8588519f6e/
Threat name:
Win32.Backdoor.Xworm
Create hunting rule
Status:
Malicious
First seen:
2024-06-11 17:34:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lsoi5yh5kzex7diwmle5sndscf3b5fu2wkxwpuwaftfylccrt5xa._file
Verdict:
malicious
Similar samples:
04e3926ce6762b1dc0ce2ea8107a36e9bdda11673ae5b333bccb81a72690a3a1
XWorm
656feea079f74b94c31e4ad4fcdb2cb0b6c4f61a861db5084af2857c6a456c47
XWorm
74531f459fdb6837669583dc731b7a6afad5378782ab8bca5d726edac753f251
XWorm
82ff14d43cb47b9956733b03996b4596cd2ad3787e1fbe0e091f2845c290d29d
XWorm
8462485220bfcba052d89e06bb3eaf38343b92bc246e391050f6019e70dba6a6
XWorm
d6e7ccaafc7a6641ce67c75483994806c20cd2a8d5235c0e74dbad4ef10ddc53
XWorm
e5e1c5b0d30a39877025ff980e81c9737ff12d5e9b742f9fd1f308082abf1606
XWorm
+ 71 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion
Link:
https://tria.ge/reports/240616-284qbsshlh/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies security service
Unpacked files
SH256 hash:
9e552268c063687f08e4960a05e06c783861a6a24fd5f19368cfd6c87402148d
MD5 hash:
80236cd7c19dcab9f817a5b0619b86d1
SHA1 hash:
10d155209bbab1aeeb83f9d934a174016cccb8ca
Link:
https://www.unpac.me/results/b208bd1c-61c9-411f-8902-1fb1375288cf/
SH256 hash:
747c00322e73a64cba552cd6a3bfd1d16f31dd0c10a83f1febedc6910743f742
MD5 hash:
ef0f5b80b1c07d0154d1f2bcaf9657e7
SHA1 hash:
add9257d91fe87daafaae4282452ce455c5c1ea6
Link:
https://www.unpac.me/results/b208bd1c-61c9-411f-8902-1fb1375288cf/
SH256 hash:
119848e168038b59ce3d15297f2176b90e0c12b2c0d46d96eca8eb8f2214a8e1
MD5 hash:
ece488283d797883245c9ef4d84db305
SHA1 hash:
69a28a69ea844417a45ae795c4c166be692c387f
Link:
https://www.unpac.me/results/b208bd1c-61c9-411f-8902-1fb1375288cf/
SH256 hash:
f7dd8d6299c108a3221c31bf33637f59f0e19703aaa88b1e3a4f1093e7209a5d
MD5 hash:
a69c6e092d415063a9fb80f8fe4e3444
SHA1 hash:
8b26a0fd01b1e48f7110cffecf6bc3b9d0822e9a
Link:
https://www.unpac.me/results/b208bd1c-61c9-411f-8902-1fb1375288cf/
SH256 hash:
527e4fa34f8a879b2f0ffee49033713363f96e8814585a6494a7508b1063f697
MD5 hash:
b0a5f944bcbf2a6f3c78a44bec04e7e0
SHA1 hash:
56e960ae84823b314b07aaa7637dcc2bcc665ae4
Link:
https://www.unpac.me/results/b208bd1c-61c9-411f-8902-1fb1375288cf/
SH256 hash:
5c9c8ee0fd56497f8d1662c9d9347211761e969ab2af67d2c02ccb8588519f6e
MD5 hash:
78fa179ebcbd001b575b3baa06ff3ab2
SHA1 hash:
ef24f4ffacf974b0d5e6a2cfb3859bff1bc73f9c
Link:
https://www.unpac.me/results/b208bd1c-61c9-411f-8902-1fb1375288cf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5c9c8ee0fd56/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/4f011ba0-ed5b-4787-acae-eac53399d265

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments