MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62d6f204244bbb976a155aa7750874a56db925c8531d76dce6bf5560440cb63c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 15


Intelligence 15 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62d6f204244bbb976a155aa7750874a56db925c8531d76dce6bf5560440cb63c
SHA3-384 hash: b0fd210bfd0aeeb0095ee46e90bd4dff75d4668761eaa8085b50010f1ba995d0b7acece9cd3d76010008069f96febef3
SHA1 hash: 3ec9cc36f11ce7836e86089631ad790e7c8fe3cc
MD5 hash: 6b94734feac8edb9f925385163ad59c9
humanhash: alabama-cup-texas-pennsylvania
File name:roblox cheat.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:6'410'752 bytes
First seen:2024-07-29 22:44:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 98304:d7v3kcOmmcMxGf3Yi4bg38mky2aB173qgDDzGxSP8R7fTA7pksuqbqw/:p0cB3djgmggDaRXAtHtqw/
TLSH T1A356CE12F940C071E5D240B296BEAF76897DAD300B3898D777C41D694A316E37A3AF27
TrID 28.6% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
22.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
16.8% (.EXE) InstallShield setup (43053/19/16)
12.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.1% (.SCR) Windows screen saver (13097/50/3)
File icon (PE):PE icon
dhash icon 336b1737373f3f37 (5 x DCRat, 4 x GurcuStealer, 1 x RedLineStealer)
Reporter Chainskilabs
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
390
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
roblox cheat.exe
Verdict:
Malicious activity
Analysis date:
2024-07-29 22:52:01 UTC
Tags:
installer evasion xworm stealer
Link:
https://app.any.run/tasks/994ee1d5-f6b8-4afa-be15-456a45127f91

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a81b73c06bd32e596e652f
Tags:
Execution Generic Network Static Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Connection attempt
Sending a custom TCP request
DNS request
Creating a window
Searching for the window
Searching for synchronization primitives
Running batch commands
Creating a file in the Program Files subdirectories
Changing a file
Moving a recently created file
Replacing files
Moving a file to the Program Files subdirectory
Creating a service
Launching a service
Enabling autorun with the shell\open\command registry branches
Enabling autorun for a service
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/62d6f204244bbb976a155aa7750874a56db925c8531d76dce6bf5560440cb63c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6297e4b5-9632-4dc0-96c0-93a56e6a9225
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
90 / 100
Link:
https://www.joesandbox.com/analysis/1484380
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1484380 Sample: roblox cheat.exe Startdate: 30/07/2024 Architecture: WINDOWS Score: 90 52 titanium.roblox.com 2->52 54 edge-term4.roblox.com 2->54 56 5 other IPs or domains 2->56 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for URL or domain 2->74 76 Antivirus detection for dropped file 2->76 78 9 other signatures 2->78 10 roblox cheat.exe 4 2->10         started        signatures3 process4 file5 34 C:\Users\user\...\robloxPX1instaler.exe, PE32 10->34 dropped 36 C:\...\cheatinstaler cheatinstalerF6R54T.exe, PE32+ 10->36 dropped 38 C:\Users\user\...\roblox cheat.exe.log, ASCII 10->38 dropped 13 cheatinstaler cheatinstalerF6R54T.exe 11 10->13         started        16 robloxPX1instaler.exe 12 10->16         started        process6 dnsIp7 40 C:\Users\user\AppData\Local\...\Keyloger.exe, PE32 13->40 dropped 42 C:\Users\user\AppData\...\BitCoin_miner.exe, PE32 13->42 dropped 44 C:\Users\user\AppData\Local\...\msedge.exe, PE32 13->44 dropped 20 cmd.exe 1 14 13->20         started        46 edge-term4-ams2.roblox.com 128.116.21.3, 443, 49701, 49741 ROBLOX-PRODUCTIONUS United States 16->46 48 d2v57ias1m20gl.cloudfront.net 18.239.18.53, 443, 49704, 49705 AMAZON-02US United States 16->48 50 127.0.0.1 unknown unknown 16->50 70 Tries to detect virtualization through RDTSC time measurements 16->70 file8 signatures9 process10 process11 22 chrome.exe 1 20->22         started        25 cmd.exe 1 20->25         started        27 conhost.exe 20->27         started        dnsIp12 58 192.168.2.5 unknown unknown 22->58 60 192.168.2.7, 123, 138, 443 unknown unknown 22->60 62 239.255.255.250 unknown Reserved 22->62 29 chrome.exe 22->29         started        32 conhost.exe 25->32         started        process13 dnsIp14 64 counter.yadro.ru 88.212.201.198, 443, 49718, 49725 UNITEDNETRU Russian Federation 29->64 66 88.212.201.204, 443, 49731 UNITEDNETRU Russian Federation 29->66 68 4 other IPs or domains 29->68
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/62d6f204244bbb976a155aa7750874a56db925c8531d76dce6bf5560440cb63c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62d6f204244bbb976a155aa7750874a56db925c8531d76dce6bf5560440cb63c/
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2024-07-29 22:45:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
105
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mllpebbejo5zo2qvlktxkcduuvw3sjoikmoxnxhgx5kwaramwy6a._file
Verdict:
malicious
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery evasion persistence privilege_escalation rat trojan
Link:
https://tria.ge/reports/240729-2pdd2ayeng/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Checks system information in the registry
Drops file in System32 directory
Checks installed software on the system
Checks whether UAC is enabled
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Event Triggered Execution: Image File Execution Options Injection
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
20.ip.gl.ply.gg:10346
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2243c6a6-d693-4c37-adce-cd8791dae252
Unpacked files
SH256 hash:
84acf88b81384c4ae3251204cc8e9ef5b38a101e752b744328a25fb9966b1c0b
MD5 hash:
f3d3ea1653fb9d4831769a79fd8fd127
SHA1 hash:
0efda3219d5c0d721f930c6704c0aac40a69bc7e
Link:
https://www.unpac.me/results/6e91700f-6591-4a67-aa06-06c32b99b2b2/
SH256 hash:
62d6f204244bbb976a155aa7750874a56db925c8531d76dce6bf5560440cb63c
MD5 hash:
6b94734feac8edb9f925385163ad59c9
SHA1 hash:
3ec9cc36f11ce7836e86089631ad790e7c8fe3cc
Link:
https://www.unpac.me/results/6e91700f-6591-4a67-aa06-06c32b99b2b2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/62d6f204244bbb976a155aa7750874a56db925c8531d76dce6bf5560440cb63c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:win_amadey_bytecodes_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments