MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63d9d59c9f36e2496a5842f5fba7a171c270d17319271d6685afda7c38417349. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63d9d59c9f36e2496a5842f5fba7a171c270d17319271d6685afda7c38417349
SHA3-384 hash: af54e69325482e4d0251b326875d2438c57802496f95d652ae34784f780711c30eb74d6fbaaf9b7945024a5c94ceceda
SHA1 hash: 1df090cccbe86aaa055474f46d3cca40f530a70c
MD5 hash: 1247bbf35b7f65b0421960f7cb33ee8e
humanhash: washington-arkansas-golf-south
File name:1247bbf35b7f65b0421960f7cb33ee8e.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:991'232 bytes
First seen:2025-06-30 13:38:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 74fea8d9720dbfeca2a3ee9f97393036 (13 x LummaStealer, 2 x Stealc, 2 x XWorm)
ssdeep 24576:jac2RLuQZ1MHbVbQsatx4G8Icsatx4G8I:g2bVUsatx4GVcsatx4GV
TLSH T1DB25DF29E29252E9FD2A80B54562A191B0727923CB391FFF43D4D3339E07AC41B3B765
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
396
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
d47376ced4b362a3d517c1d777ccc70cc3dcd4ce8b91af0670af5450ce8611e3.bin
Verdict:
Malicious activity
Analysis date:
2025-06-30 03:31:06 UTC
Tags:
lumma stealer themida loader amadey botnet auto-reg rdp stealc arch-exec auto arkeistealer python vidar telegram generic arch-doc
Link:
https://app.any.run/tasks/a35ec195-9f14-47b1-8560-c1e61351b475

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/11653/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6862939137c343677947c988
Tags:
philis virus hello
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Searching for the window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/63d9d59c9f36e2496a5842f5fba7a171c270d17319271d6685afda7c38417349
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d495ca54-e62f-4808-91e8-2f05a706036a
Result
Threat name:
AsyncRAT, LummaC Stealer, Njrat, Quasar,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1725580
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Check if machine is in data center or colocation facility
Compiles code for process injection (via .Net compiler)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Suspicious execution chain found
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected LummaC Stealer
Yara detected Njrat
Yara detected Quasar RAT
Yara detected Vidar stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1725580 Sample: SA1c64XrV0.exe Startdate: 30/06/2025 Architecture: WINDOWS Score: 100 122 trsuv.xyz 2->122 124 t.me 2->124 126 11 other IPs or domains 2->126 140 Suricata IDS alerts for network traffic 2->140 142 Malicious sample detected (through community Yara rule) 2->142 144 Antivirus detection for dropped file 2->144 148 19 other signatures 2->148 10 SA1c64XrV0.exe 2->10         started        13 msedge.exe 2->13         started        signatures3 146 Performs DNS queries to domains with low reputation 122->146 process4 dnsIp5 158 Writes to foreign memory regions 10->158 160 Allocates memory in foreign processes 10->160 162 Injects a PE file into a foreign processes 10->162 16 MSBuild.exe 55 10->16         started        130 239.255.255.250 unknown Reserved 13->130 21 msedge.exe 13->21         started        signatures6 process7 dnsIp8 104 t.me 149.154.167.99, 443, 49692 TELEGRAMRU United Kingdom 16->104 106 ds.exifit.eu.org 116.203.167.110, 443, 49693, 49694 HETZNER-ASDE Germany 16->106 112 2 other IPs or domains 16->112 72 C:\Users\user\AppData\Local\...\l8890f[1].exe, PE32+ 16->72 dropped 74 C:\Users\user\AppData\Local\...\x85899[1].exe, PE32 16->74 dropped 76 C:\Users\user\AppData\Local\...\ss542[1].exe, PE32 16->76 dropped 80 7 other malicious files 16->80 dropped 132 Attempt to bypass Chrome Application-Bound Encryption 16->132 134 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->134 136 Encrypted powershell cmdline option found 16->136 138 4 other signatures 16->138 23 powershell.exe 22 16->23         started        27 chrome.exe 16->27         started        30 powershell.exe 16->30         started        32 28 other processes 16->32 108 r.msftstatic.com 21->108 110 ntp.msn.com 21->110 114 38 other IPs or domains 21->114 78 C:\Users\user\AppData\Local\...\Cookies, SQLite 21->78 dropped file9 signatures10 process11 dnsIp12 100 C:\Users\user\AppData\...\h4goga0q.cmdline, Unicode 23->100 dropped 150 Writes to foreign memory regions 23->150 152 Compiles code for process injection (via .Net compiler) 23->152 154 Creates a thread in another existing process (thread injection) 23->154 34 csc.exe 3 23->34         started        37 conhost.exe 23->37         started        128 192.168.2.5, 138, 1649, 443 unknown unknown 27->128 49 2 other processes 27->49 102 C:\Users\user\AppData\Local\...\5safijic.0.cs, Unicode 30->102 dropped 39 csc.exe 30->39         started        41 conhost.exe 30->41         started        156 Monitors registry run keys for changes 32->156 43 csc.exe 32->43         started        45 csc.exe 32->45         started        47 csc.exe 32->47         started        52 24 other processes 32->52 file13 signatures14 process15 dnsIp16 82 C:\Users\user\AppData\Local\...\h4goga0q.dll, PE32 34->82 dropped 54 cvtres.exe 1 34->54         started        84 C:\Users\user\AppData\Local\...\5safijic.dll, PE32 39->84 dropped 56 cvtres.exe 39->56         started        86 C:\Users\user\AppData\Local\...\2fbts3zf.dll, PE32 43->86 dropped 58 cvtres.exe 43->58         started        88 C:\Users\user\AppData\Local\...\hjdlsu4n.dll, PE32 45->88 dropped 60 cvtres.exe 45->60         started        90 C:\Users\user\AppData\Local\...\s3nqzjvw.dll, PE32 47->90 dropped 62 cvtres.exe 47->62         started        116 apis.google.com 49->116 118 ogads-pa.clients6.google.com 142.250.80.10, 443, 49718, 49721 GOOGLEUS United States 49->118 120 3 other IPs or domains 49->120 92 C:\Users\user\AppData\Local\...\zxwbczcw.dll, PE32 52->92 dropped 94 C:\Users\user\AppData\Local\...\rt4edku2.dll, PE32 52->94 dropped 96 C:\Users\user\AppData\Local\...\ndnhms12.dll, PE32 52->96 dropped 98 7 other malicious files 52->98 dropped 64 cvtres.exe 52->64         started        66 cvtres.exe 52->66         started        68 cvtres.exe 52->68         started        70 7 other processes 52->70 file17 process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/63d9d59c9f36e2496a5842f5fba7a171c270d17319271d6685afda7c38417349
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/1247bbf35b7f65b0421960f7cb33ee8e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63d9d59c9f36e2496a5842f5fba7a171c270d17319271d6685afda7c38417349/
Threat name:
Win64.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2025-06-29 13:02:34 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mpm5lhe7g3res2syil27xj5bohbhbultdetr2zufv7nhyocboneq._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:njrat family:quasar family:vidar family:xworm botnet:0563f7b7ace99077cac73375f6f7cbf9 botnet:google chrome botnet:hacked credential_access cryptone defense_evasion discovery packer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250630-qx4ems1q19/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Drops startup file
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Uses browser remote debugging
CryptOne packer
Detect Vidar Stealer
Detect Xworm Payload
Lumma Stealer, LummaC
Lumma family
Njrat family
Quasar RAT
Quasar family
Quasar payload
Vidar
Vidar family
Xworm
Xworm family
njRAT/Bladabindi
Malware Config
C2 Extraction:
https://t.me/l07tp
https://steamcommunity.com/profiles/76561199869630181
66.63.187.164:8594
https://trsuv.xyz/gait
https://pacwpw.xyz/qwpr
https://comkxjs.xyz/taox
https://unurew.xyz/anhd
https://sqgzl.xyz/taoa
https://cexpxg.xyz/airq
https://urarfx.xyz/twox
https://liaxn.xyz/nbzh
66.63.187.164:8596
66.63.187.164:8595
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b2096a79-9ca9-4041-b5c1-dfb5688dfa4e
Unpacked files
SH256 hash:
63d9d59c9f36e2496a5842f5fba7a171c270d17319271d6685afda7c38417349
MD5 hash:
1247bbf35b7f65b0421960f7cb33ee8e
SHA1 hash:
1df090cccbe86aaa055474f46d3cca40f530a70c
Link:
https://www.unpac.me/results/ee1d47ba-cecb-4f3a-b92d-8f0267ff5696/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63d9d59c9f36e2496a5842f5fba7a171c270d17319271d6685afda7c38417349

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe 63d9d59c9f36e2496a5842f5fba7a171c270d17319271d6685afda7c38417349

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3562395/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/11653/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExA

Comments