MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e598a27d04ed49f406c5ff1656c6f99c92972c89012342136e0e361742270e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	5e598a27d04ed49f406c5ff1656c6f99c92972c89012342136e0e361742270e0
SHA3-384 hash:	9c119c348f7289d5854fc3cda64b1296d1dfad165faa2c559b14d5096a08f6930de52d45e01f13c0e9cdb0f94bb8cb24
SHA1 hash:	6168d3ede93d70b871dac1797399d329f2d34372
MD5 hash:	08eb6dcc763ca17ee7973967260cefdb
humanhash:	magazine-louisiana-sodium-montana
File name:	propsys.dll
Download:	download sample
Signature	XWorm Create hunting rule
File size:	47'325 bytes
First seen:	2025-10-01 12:09:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cb43ea63ddf831ab15a7dcf7c33bd9a9 (2 x XWorm)
ssdeep	768:N+N6aF35ZUcFz/T2GwxdPJt7xK3TPUcuQzvt1/HsEwbETnz34OuK0eq7xFnSFVPy:N+X6cFDT2GwxdPJt7xK3TPUcuQzvt1/k
Threatray	775 similar samples on MalwareBazaar
TLSH	T1AD2384D1BFD59DC6E940637822E9D2223B3DF9E086434B4BB52856311B13BD43EED24A
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	exe github-com--robertoaguilarfields-blip resources-formerly-gl-at-ply-gg xworm

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

propsys.dll

Verdict:

Malicious activity

Analysis date:

2025-10-01 12:44:17 UTC

Tags:

github xworm susp-powershell

Link:

https://app.any.run/tasks/b79474d8-dd96-4327-8715-ef1e0e883feb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/29733/

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68dd1a307d643f33eab91728

Tags:

virus overt shell

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a process with a hidden window

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Connection attempt to an infection source

Query of malicious DNS domain

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

anti-debug masquerade obfuscated overlay

Link:

https://www.filescan.io/uploads/68dd1a7c74e5a289899c2e65/reports/94aba871-de0d-4da2-826f-bf14ede03ccd/overview

Verdict:

Malicious

Labled as:

Doina.Generic

Link:

https://www.hybrid-analysis.com/sample/5e598a27d04ed49f406c5ff1656c6f99c92972c89012342136e0e361742270e0

Verdict:

Malicious

File Type:

dll x64

First seen:

2025-10-01T10:16:00Z UTC

Last seen:

2025-10-03T00:46:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/5e598a27d04ed49f406c5ff1656c6f99c92972c89012342136e0e361742270e0/results?tab=lookup

Malware family:

Veluth Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a18ae226-3da4-48d0-9e2b-021d46aed9d4

Score:

91%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5e598a27d04ed49f406c5ff1656c6f99c92972c89012342136e0e361742270e0

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5e598a27d04ed49f406c5ff1656c6f99c92972c89012342136e0e361742270e0/

Threat name:

Win64.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-10-01 12:01:51 UTC

File Type:

PE+ (Dll)

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lzmyuj6qj3kj6qdml7ywk3dpthess4wisajdiijw4drwc5bcodqa._file

Verdict:

malicious

Label(s):

xworm

XWorm

1c2e2245e276dadaf6ee7cdf6a16be8308587026c63ede136ad25ec3dfa96cf7

XWorm

5e598a27d04ed49f406c5ff1656c6f99c92972c89012342136e0e361742270e0

XWorm

6c8d323947bf1631203a274b24c6b9f1be39f077f09bd4ff6ade1e46f0617b2d

XWorm

6e6e3464cf9db6467e62e9258d07ee3d857f34b2c772a0e7878c7c5d1563006c

XWorm

7d918536efddeb60edff4165abdd6788d20a36b1af364e69ec1997691678a27e

XWorm

error

XWorm

+ 765 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm execution rat trojan

Link:

https://tria.ge/reports/251001-pcfmeaep7t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Legitimate hosting services abused for malware hosting/C2

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Detect Xworm Payload

Xworm

Xworm family

Malware Config

C2 Extraction:

resources-formerly.gl.at.ply.gg:43317
:2121

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/bf4495f8-6855-45af-95c5-99d4cc086b40

Unpacked files

SH256 hash:

5e598a27d04ed49f406c5ff1656c6f99c92972c89012342136e0e361742270e0

MD5 hash:

08eb6dcc763ca17ee7973967260cefdb

SHA1 hash:

6168d3ede93d70b871dac1797399d329f2d34372

Link:

https://www.unpac.me/results/cf707c93-89ac-40da-9af1-2b9531cdd968/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5e598a27d04e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5e598a27d04ed49f406c5ff1656c6f99c92972c89012342136e0e361742270e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/29733/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample