MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6806d7e4fcabf3e9147f446a3babf29bc8970cf32a8ecc1176271a0dd1e3a847. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	6806d7e4fcabf3e9147f446a3babf29bc8970cf32a8ecc1176271a0dd1e3a847
SHA3-384 hash:	7655cb1e854033586abd37ed6c8317d94765313e81ec09d1ff30e6612b77d147be696a26a90ec54a98affb681c7e6b34
SHA1 hash:	88e214b02eea72b4b588122c9f3d867084c38c8b
MD5 hash:	1fdfb4d8b675aa915bce4cf1f2e56337
humanhash:	bacon-romeo-tango-nine
File name:	6806d7e4fcabf3e9147f446a3babf29bc8970cf32a8ecc1176271a0dd1e3a847
Download:	download sample
Signature	XWorm Create hunting rule
File size:	790'528 bytes
First seen:	2026-05-08 12:43:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'917 x AgentTesla, 19'821 x Formbook, 12'309 x SnakeKeylogger)
ssdeep	12288:kt+d8+DbFdr9/O/Fv6c8dFAUEfT0BrZToD1PAq4Lcs6B4YPotyVd9XSKAxaf:Zd8+v9k6cPzfT+9Tk1PAJcs6Bw0XSK/
Threatray	765 similar samples on MalwareBazaar
TLSH	T13EF401247A38CE52D8A513F80DA1E33213B89C8EA511D3179EFDBDE77575B1A2918383
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe xworm

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/44d391b6-93cc-4cc0-8fb2-7eb83452f76c/

Malware family:

n/a

ID:

File name:

exe

Verdict:

Malicious activity

Analysis date:

2026-05-08 16:18:05 UTC

Tags:

susp-lnk auto-startup xworm

Link:

https://app.any.run/tasks/afa99fc3-288e-4b90-a955-35c8ddcf090f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/65115/

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Connection attempt to an infection source

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context crypt packed vbnet

Link:

https://www.filescan.io/uploads/69fddb3b2fcb905ec2886df3/reports/150b915d-959e-4f65-bf85-52ad336209b5/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/6806d7e4fcabf3e9147f446a3babf29bc8970cf32a8ecc1176271a0dd1e3a847

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-04-08T10:10:00Z UTC

Last seen:

2026-04-18T07:14:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/6806d7e4fcabf3e9147f446a3babf29bc8970cf32a8ecc1176271a0dd1e3a847/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/71f07203-b681-41e1-90c5-0b27829c2a41

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6806d7e4fcabf3e9147f446a3babf29bc8970cf32a8ecc1176271a0dd1e3a847

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6806d7e4fcabf3e9147f446a3babf29bc8970cf32a8ecc1176271a0dd1e3a847/

Threat name:

Win32.Backdoor.FormBook

Status:

Malicious

First seen:

2026-04-08 22:54:25 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 36 (63.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nadnpzh4vpz6sfd7irvdxk7stpejodhtfkhmyelwe4na3updvbdq._file

Verdict:

malicious

Label(s):

xworm

XWorm

87ffe7535f7e221d713ce338cb8f1ad3481c6a1a48932203f1658d6a1cd1c201

XWorm

9b8d72d1a03fbc62aceda0d7e071474fa88f81624ce6aed1fd77f4197cd96305

XWorm

9fe7289e6e6eff48961ebe44aed0440e21d35702da284c34f4ef8c37b6ad7419

XWorm

error

XWorm

+ 755 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm discovery execution rat trojan

Link:

https://tria.ge/reports/260508-pzryyscx7q/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Checks computer location settings

Drops startup file

Command and Scripting Interpreter: PowerShell

Detect Xworm Payload

Family: Xworm

Malware Config

C2 Extraction:

147.124.213.101:1985

Unpacked files

SH256 hash:

6806d7e4fcabf3e9147f446a3babf29bc8970cf32a8ecc1176271a0dd1e3a847

MD5 hash:

1fdfb4d8b675aa915bce4cf1f2e56337

SHA1 hash:

88e214b02eea72b4b588122c9f3d867084c38c8b

Link:

https://www.unpac.me/results/7052c484-ba51-426a-af36-e84bb60800bf/

SH256 hash:

b19f75067ddc24abe3fe5959888b6e8003e161807789f90581d10720e67a6e7a

MD5 hash:

875ca1b8b717d00c477882c5bbed2894

SHA1 hash:

0f60dfa378122629711043c08c9a544c3a4c60c1

Detections:

win_xworm_w0

XWorm

Link:

https://www.unpac.me/results/7052c484-ba51-426a-af36-e84bb60800bf/

Parent samples :

ad49daecf36c736fc7db65a547e2fd0756c69847778638edb6b1f7bd16a5310e
a65c6f7e36a274402a40b3dd676d50ed00505bc7e7c1ec34faf1c88bee76c990
64268aabb05ab23b0e746311547591818ac496ff355ab8f158645a5060a94f2f
6806d7e4fcabf3e9147f446a3babf29bc8970cf32a8ecc1176271a0dd1e3a847
993d9460098137391a6f1775c070d535c47138a06a88c2c5250c99b79f28dca8

SH256 hash:

335138cfd29ef2ef552aa836b00de48a4796df7c2dd62abea8a5d091d80fcbf1

MD5 hash:

cb963ae4ca287abba455770686cdf19d

SHA1 hash:

18113fa9410b4a23957db81cc4c61bb59328c999

Link:

https://www.unpac.me/results/7052c484-ba51-426a-af36-e84bb60800bf/

SH256 hash:

8980ec7cc81fb5443f77b53dea05520aa55786916a97bb40048a6349459f93e0

MD5 hash:

9f80dffb2172561896eae52b2af8e575

SHA1 hash:

8ff2b4901a15f15a7f10dc4cdeffc64151241173

Link:

https://www.unpac.me/results/7052c484-ba51-426a-af36-e84bb60800bf/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6806d7e4fcab/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6806d7e4fcabf3e9147f446a3babf29bc8970cf32a8ecc1176271a0dd1e3a847

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/65115/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample