MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 649243059c52a8eec583ec9e6334aba54c59dcddf41a78a9ca836be6e6727f67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 649243059c52a8eec583ec9e6334aba54c59dcddf41a78a9ca836be6e6727f67
SHA3-384 hash: 7bd9bf580c08e1e38142cbd126ab680458df7b8720ca787943abc3344d48fcbf0e1786cd70bc45d4dbe3e3df5480e457
SHA1 hash: c8e7950e3ddfd7bf2608a538342b3adf1db11335
MD5 hash: 37fba0f69eabe5946ff9f63937ed8209
humanhash: east-july-comet-fix
File name:SecuriteInfo.com.Trojan.PackedNET.3393.1014.19178
Download: download sample
Signature XWorm
Create hunting rule
File size:529'416 bytes
First seen:2025-08-20 07:19:00 UTC
Last seen:2025-09-05 13:02:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:gzEwScNPel1bBEAoEq6YP5xnokjjLuDvZP0uxhan21QkR:gYwn9el1b3qp5xokjvKmuLX
Threatray 92 similar samples on MalwareBazaar
TLSH T126B4F151229AD100E5F63B3429B1D3759B7B7DCD7830C24B8BE4ADDF3E62B4164A03A6
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe xworm

Intelligence

File Origin
# of uploads :
5
# of downloads :
77
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.PackedNET.3393.1014.19178
Verdict:
Malicious activity
Analysis date:
2025-08-20 07:21:20 UTC
Tags:
netreactor auto-sch-xml pastebin remote xworm auto generic stealer
Link:
https://app.any.run/tasks/bf2f6f25-b579-458d-8b61-d78b46525d2e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22404/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3393.1014.19178.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a5770c8fd55a79c5295821
Tags:
virus krypt msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap confuserex expired-cert invalid-signature lolbin msbuild obfuscated packed packed reconnaissance regsvcs roboski schtasks signed stego vbc vbnet
Link:
https://www.filescan.io/uploads/68a5770dba1f5bb1e60dca37/reports/75d0802d-5d37-46ef-b60a-807251bac9f5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/649243059c52a8eec583ec9e6334aba54c59dcddf41a78a9ca836be6e6727f67
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/607098bd-a255-4e81-a089-2dcab95a15ba
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/649243059c52a8eec583ec9e6334aba54c59dcddf41a78a9ca836be6e6727f67
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.24 Win 32 Exe x86
Link:
https://app.malva.re/file/37fba0f69eabe5946ff9f63937ed8209
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/649243059c52a8eec583ec9e6334aba54c59dcddf41a78a9ca836be6e6727f67/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/649243059c52a8eec583ec9e6334aba54c59dcddf41a78a9ca836be6e6727f67
Threat name:
Win32.Backdoor.XWorm
Create hunting rule
Status:
Malicious
First seen:
2025-08-20 07:49:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=msjegbm4kkuo5rmd5spggnfluvgftxg56qnhrkokqnv6nztsp5tq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
2f3400ebe9efe2b533afadd9ba9b578315519166f96dc3cd9a2f41eb5d8f483b
XWorm
649243059c52a8eec583ec9e6334aba54c59dcddf41a78a9ca836be6e6727f67
XWorm
8c7d7ecf7d126cd76989d070d1b2391585ef1d689d3ffb0dcaab197c21d3820e
XWorm
ccf29345b53dd399ee1a1561e99871b2d29219682392e601002099df77c18709
XWorm
error
XWorm
+ 82 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm collection defense_evasion discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250820-h5tlea1my8/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Modifies trusted root certificate store through registry
Detect Xworm Payload
Xworm
Xworm family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d2346309-40e4-42a1-8afc-56cbbb43f9fa
Unpacked files
SH256 hash:
649243059c52a8eec583ec9e6334aba54c59dcddf41a78a9ca836be6e6727f67
MD5 hash:
37fba0f69eabe5946ff9f63937ed8209
SHA1 hash:
c8e7950e3ddfd7bf2608a538342b3adf1db11335
Link:
https://www.unpac.me/results/b98db8a3-9558-432e-8c2b-21de9714d641/
SH256 hash:
5d6c19cd384d502b49b49d7acf6e30fb862e0e1449b3cf3d393b2a43302b27d8
MD5 hash:
37b1991fe82290f7a93318b271f1358a
SHA1 hash:
30868cfd23ae3f71d694f9c6726f58e98d54e38c
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b98db8a3-9558-432e-8c2b-21de9714d641/
SH256 hash:
a1ba38de28e295c98f4eeb7a674feb458c766e75b238bc334fb1b2376eef567a
MD5 hash:
ced62940086bf50ec287d4db7f068837
SHA1 hash:
740da4148fef930ef68b2380a8355a66a871c1de
Link:
https://www.unpac.me/results/b98db8a3-9558-432e-8c2b-21de9714d641/
SH256 hash:
6f663c04d0d98abf75bd5202ffa408fa727502c199f42f5d9b8b3e50f4ac3781
MD5 hash:
3bcbe25f8ad2139c0bb3501fcf9afc5f
SHA1 hash:
a7a91c6b0fafeac319c6bf429fd8799f9670cba3
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b98db8a3-9558-432e-8c2b-21de9714d641/
Parent samples :
a1a9a1eb021b4358e6585bd24332ec331ab91973b4286eee6f82f778997bfc33
dbc0e8b108b4e270877bd6bab0e90e45a206065733483d47481bd8f3638a3001
0ce45ef5e6b470b80e4c7079377953db80ecfc5393fb76ee4568fa334c613924
85743dccb07d50949999575c8fc62d04ffcabf8e15802f8c5c4d7e84243c846f
9538c650eee9f57c5927c90dbeb4e37b9b84ac157f49e2aebf182cb1258e3f5b
2107230497983a8313e0776ee14087ec2e7b9ebf63f39378f3d29846b7492f27
0a4de4dddc2313587610dd1d69aaa99d8b350b5bb888dd54ffdd5bbb246e5a75
96b5f548190e75840e623792ee01e9561d1f88a89c6fdce734a6cc9a038523ea
ca5b85e2100535294f607ba63fa782b2652397c1c1258fb0d15ad256a6f779e5
66513d2b0ca211cd190997156119713b7b8704a49a28fb9a8328749b9dc2cd45
ed17eb2e83fcca67ba66de21c6357ed58d2c684793aa0e7364e120c189488a6e
632a938f27ff96c7c959eb321c05478cef7ac11fdd8db11eb22307d3fbe5fb35
dfb47b0d9362c1584332c02f37e614f8e54a3f9956cc3df38dbacd20c40c4db5
14fc010bba506071a73611d32fd83f0cb181f0ed6d7675f736000c7cd2c4b6cf
c43e60dd4fe89c7a4927b13c24972ff021986196b1fafa40e9cdc5ce81b0db5b
649243059c52a8eec583ec9e6334aba54c59dcddf41a78a9ca836be6e6727f67
57ddc71d4ceabf26512f5bf88152f41b543de6cc7080b8d5660c43badd4dbd4d
e2dc30f133c91cab67e24cebc23291f6953654e16d4ea2621dd64dd500c5cc9a
44125a5ef2f4e177d83ca26e4c8b0ec8fd228b393167e314d79de1de0eb7130e
68b9da7d7c581d929c84aca89b0d7418c6b2e04a6c93d1045e59052a7bedb6fd
4a200b42ba8a718bb929d36b694cec5271310e0976b844fa2f97a6223384dad7
9f5e1c5ea05a6275d90bac217e0fd8061c7e87e174b69bcdd26625e873c7579b
4fd694eea69457f8141a22cdb979e68a321ddf53e74ea6f392360b86b12e9944
087a67230ac4ad7bcedcc58aadd2ad2c4a12590db99f4ee7f00dc299255faab6
aa8573d46623ece59532f343f470aaa82a28cee22f00ed2b9b004db3a7810e05
5078c343420073ff89ed24cf79285abacfe4701acd4e33ccdefebb923441d352
ad1ae745d835753f3536d17187afeaca8c6b4fa7741aa7442778de132c6bb0b3
517f289ea24bf5a5270a83308aff7b392fcd572daea4448978ef7001d53b4a73
544d7bd464f262cdfda14e6df09a8b4ba3210867c0955eebc4e86d757f861238
8c26e45232a6156e0aa26e97891c87be699e0790bdf3f048fb9fde6b9b94e794
73641bb814bd6e10ce0fa31212e08f24e705e5d4a67d4c5367a1d8331b55da0d
989abbc447fdf6d9082210d06760f3705c6f07b4020375b78640248fe5b49d14
6181588754a45750b20eee8e9d3844f14d85b0869bb860134cc240ac6f6d90dd
331b4062e2bd91848560e3d76e2ad7f34fec3be595f3925f9eb45326085966e7
9d868f31c6cc17e3c71942f41008ac4e91c9141f2a48570cde35dea5efc5115a
46411b8001c1bec2f2ef0b8e4ebebf0457ecc0eec2b4693e3e61f1986009320e
d78b1315a596c3424ed01722ea7d1370180affa97474a8a4fd55b1bb012c8411
94b39cc6fa738eb8a26185ee588d5998a7f82b39a67a7312f5202a3e4ee7af78
789217599c1f3acfa58bde73eca30d4f0bd9c8184fdfe37ffa7339d321cfe266
51b036522abdbc3cd223aaa8dde959ae3f02b80bd1955f61442fcc8e15696a88
f0e55b1274addd245c00942b61bb7e9f590fe64b9c216cf85dc0da1d0bcee069
3a882b870fce4e6cc303d89551e6b36741aedf2a97dc8a20163e964a0808f22b
44b569741123469cd19a343c8b33de6e24d77b26763d4692e070aa2b10a3a960
f1722328c89de2120f7cab86b9f88e4129fb7e419c8c0c699d43317553692de7
76cff505d993baaecd718a3b0de1814da0aef73ce932d95bacbc6d842db38807
8cafe02ae7050245022e1afdd9552286c7d3cf944d15cea2d4c7f74fe909e2ec
e15aad8afcd267221fefba1c7e17def943fe8f02bfa4295a45ba76a745d3556d
af3c9677ddb4f4989eefa3f4dbc7c2c61067adfde4203b106939e13def66ba22
007cd810db2b95805793f8b38d89946479092c54385a4e127bb9dfe5512ade1c
aa1badc8a65a7e941f3e9e9ed3e7ab9ff565900904e57bcd8e5428c6b900d522
374c0585a847123b53c6a0882073830abf04829ecb038e0bdad00cf458bd16ee
a44128afda43c52008225dda2f60357b13030df3f639e42cd83c3e35e0e8c09a
898fa5e7ec65acee299dca750e5369836bd3453aad9e7d5fe5e6061ee24e35d3
8317cc0a4d4b4c3776f6f572da2635063a6244f1d9846c8fa8754ab085c555c5
c6c671502b3a65de6a8ab2373fc24415cac444c4333203e47bd3598bd0104f4b
d431af117842085de4eab85ddc86bc5eeffa0130a55b9651aada9553b54d5e13
00476471d950178a2fb4725999ac7aa090424a08121fb10b202cbd51a57bb4b8
1f60712c0d173d50aba8f766c49d4c70588d3315b701756bbb785d7c513b1c78
35fb644ff75750a53c894f52fa160ca37af8370c99a2877d8e3d84f1ffae5b2f
31ee9e20db0bf4c49fa560640005056239d41f9349516ddada7fe5fec89e7060
ea71d7dc55ee33978d98af1897d65e9bd1fc48334d7fb405a3238e47d48a05dc
57ae7edf153dae62714e31efabe20bcd93fa7f69f9ffe3f69b6150ce0cc7e92c
27a028ec14e0d0a72a308a7bd7d46722d52bfd988e0776ceb0a60db751af7c3a
3485b71b8ccdae236a71d4426aea885bd16ee3e2760d9eb324dfce2a552dd938
2261076a897c78824d78af89c1a409308893eab0242e7e04399ed7b7b6c7d245
Malware family:
zgRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/649243059c52/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/649243059c52a8eec583ec9e6334aba54c59dcddf41a78a9ca836be6e6727f67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/22404/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments