MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f6e7232d0fd57d8b46e8fbd1f7c917b4bddb4c426b9ea7d73e1276a197ca84d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	5f6e7232d0fd57d8b46e8fbd1f7c917b4bddb4c426b9ea7d73e1276a197ca84d
SHA3-384 hash:	24974f64859b63d97ef69bf3efd03593af685a376c3b901d931424bde81fd1e6c9c209150389bcfa7c06fd5bc3d54edf
SHA1 hash:	841ba2d927a97a102334da548551ce7350336561
MD5 hash:	0e5050bc6814e2a2b2fe1c5e784cea5a
humanhash:	stairway-idaho-video-hotel
File name:	mscorsvc.dll
Download:	download sample
Signature	XWorm Create hunting rule
File size:	103'424 bytes
First seen:	2025-12-03 14:06:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c557e5a1f458562742f2063e4d1c8d84 (1 x XWorm)
ssdeep	3072:B3nPCRxK1PAr9rpfkeMjSyPZ2aBC71WVjKB:B3PCRxEYncjSwF014j0
Threatray	1'755 similar samples on MalwareBazaar
TLSH	T1EAA38C791DBDE34AF38C90FAF815DFD29820B04859A5A363ED6DEBE03B254401F69391
TrID	38.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.6% (.ICL) Windows Icons Library (generic) (2059/9) 15.4% (.EXE) OS/2 Executable (generic) (2029/13) 15.2% (.EXE) Generic Win/DOS Executable (2002/3) 15.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Anonymous
Tags:	dll exe xworm

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

mscorsvc.dll

Verdict:

Suspicious activity

Analysis date:

2025-12-03 14:12:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/dd59bcb3-9a5e-4962-ae1f-70d5baa315b6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/42301/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6930441a16e6db515e46494c

Tags:

keylog virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Connection attempt to an infection source

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Sending a custom TCP request

Setting a global event handler for the keyboard

Query of malicious DNS domain

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/5f6e7232d0fd57d8b46e8fbd1f7c917b4bddb4c426b9ea7d73e1276a197ca84d

Verdict:

Malicious

File Type:

dll x64

First seen:

2025-12-01T00:58:00Z UTC

Last seen:

2025-12-04T02:34:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Shellcode.sb PDM:Trojan.Win32.Generic Backdoor.MSIL.XWorm.b HEUR:Trojan.Win32.Agent.gen Trojan.Win64.DonutInjector.sb Trojan.Win64.Donut.sb Trojan.Win64.Agentb.sb

Link:

https://opentip.kaspersky.com/5f6e7232d0fd57d8b46e8fbd1f7c917b4bddb4c426b9ea7d73e1276a197ca84d/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/80d61123-b68c-4466-947d-0c8dd56425a1

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5f6e7232d0fd57d8b46e8fbd1f7c917b4bddb4c426b9ea7d73e1276a197ca84d

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5f6e7232d0fd57d8b46e8fbd1f7c917b4bddb4c426b9ea7d73e1276a197ca84d/

Verdict:

Malicious

Threat:

Family.DONUTLOADER

Link:

https://tip.neiki.dev/file/5f6e7232d0fd57d8b46e8fbd1f7c917b4bddb4c426b9ea7d73e1276a197ca84d

Threat name:

Win64.Malware.Heuristic

Status:

Malicious

First seen:

2025-12-02 21:38:05 UTC

File Type:

PE+ (Dll)

AV detection:

16 of 23 (69.57%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l5xhemwq7vl5rndor66r67erpnf53ngee246u7lt4etwugl4vbgq._file

Verdict:

malicious

Label(s):

donutloader

xworm

Result

Malware family:

xworm

Score:

10/10

Tags:

family:donutloader family:xworm loader rat trojan

Link:

https://tria.ge/reports/251203-re44wscr41/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Detect Xworm Payload

Detects DonutLoader

DonutLoader

Donutloader family

Xworm

Xworm family

Malware Config

C2 Extraction:

83.147.243.110:1002
pradeepprabhu705.duckdns.org:1002

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a6ce53ca-6c17-4c5d-9cb2-b032715c34a1

Unpacked files

SH256 hash:

5f6e7232d0fd57d8b46e8fbd1f7c917b4bddb4c426b9ea7d73e1276a197ca84d

MD5 hash:

0e5050bc6814e2a2b2fe1c5e784cea5a

SHA1 hash:

841ba2d927a97a102334da548551ce7350336561

Link:

https://www.unpac.me/results/6ef091ba-aa70-45c9-a05d-3e296c27062b/

Malware family:

DonutLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5f6e7232d0fd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/5f6e7232d0fd57d8b46e8fbd1f7c917b4bddb4c426b9ea7d73e1276a197ca84d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/42301/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample