MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fae2cb6661491b52d88989b21c5a43fc833fc04f0f682ec0042b8c0557ea882. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fae2cb6661491b52d88989b21c5a43fc833fc04f0f682ec0042b8c0557ea882
SHA3-384 hash: df3a07955b9c29bc14225a2c23f1644350acd272858b78dac6cc08a10244843bfa3c0928cb67bcce8631f2624ac8eff7
SHA1 hash: 314ee5c0cd06bb23c8b54a008c1d61f5c019a7fe
MD5 hash: 152c175b411efe940d4adbb10ac18970
humanhash: eleven-tango-johnny-eight
File name:Project Documents (Drawings, Specifications, BOQ).rar
Download: download sample
Signature XWorm
Create hunting rule
File size:26'709 bytes
First seen:2025-06-16 11:37:08 UTC
Last seen:2025-06-16 13:40:09 UTC
File type: rar
MIME type:application/x-rar
ssdeep 768:6/ypib0fE/8IfRzftCrZ1IfmfOyS5THgKMuBD0poyIDo61:GypRE/BhtCrZmQ6TALaDV3o6
TLSH T1D2C2E1E62CBFC0ADD234CE4B98C79401D463B9A8C31749A56A173B68FC4953ED4BC4A3
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika rar
Reporter cocaman
Tags:rar xworm


Avatar
cocaman
Malicious email (T1566.001)
From: "Estimation Team <urs.lustenberger@jcnconsult.com>" (likely spoofed)
Received: "from jcnconsult.com (unknown [103.75.191.168]) "
Date: "Mon, 16 Jun 2025 12:20:09 +0000"
Subject: "Notification - NARESCO CONTRACTING - Procurement Portal : Request
For Quote - Tender No. - 93644207"
Attachment: "Project Documents (Drawings,
Specifications, BOQ).rar"

Intelligence

File Origin
# of uploads :
2
# of downloads :
67
Origin country :
CH CH
Vendor Threat Intelligence
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685001f08bd5d68a12e8cda4
Tags:
infosteal spawn
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/685001f2171e01f959424fa7/reports/2676cfdd-3c6c-45df-a641-987a234c8bb4/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/5fae2cb6661491b52d88989b21c5a43fc833fc04f0f682ec0042b8c0557ea882
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5fae2cb6661491b52d88989b21c5a43fc833fc04f0f682ec0042b8c0557ea882/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-06-16 11:37:11 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l6xczntgcsi3klmitcnsdrneh7edh7ae6d3if3aaik4mavl6vcba._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat trojan
Link:
https://tria.ge/reports/250616-pkrdwaxnt2/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5fae2cb6661491b52d88989b21c5a43fc833fc04f0f682ec0042b8c0557ea882

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

rar 5fae2cb6661491b52d88989b21c5a43fc833fc04f0f682ec0042b8c0557ea882

(this sample)

XWorm

Visual Basic Script (vbe) vbe 3ada9658d296a62753af80cc4b481277ac0dd5e8342b12d08d03481a8de9850b

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 3ada9658d296a62753af80cc4b481277ac0dd5e8342b12d08d03481a8de9850b
  
Dropping
MD5 6fcc42b6222a8d455878294e5b86f49b
  
Dropping
XWorm

Comments