MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68795c47a9aeb9e3208ca814fcef157c8e5f73464298e5eec4bb0ea32831baba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 18

Intelligence 18 IOCs YARA 7 File information Comments

SHA256 hash:	68795c47a9aeb9e3208ca814fcef157c8e5f73464298e5eec4bb0ea32831baba
SHA3-384 hash:	34d66b978f2f2a4ab584856b1ea40e2eedf000673b065d2f27220dee65a1326f6e3e0289bfb6c72e8205b04e28c56b72
SHA1 hash:	1b499b7b4ba7ed80695f2dd0fce8d94ebdc8e30e
MD5 hash:	9e3fdb1daaa9146fa27e4f99d94f56be
humanhash:	grey-jig-double-snake
File name:	9e3fdb1daaa9146fa27e4f99d94f56be.exe
Download:	download sample
Signature	XWorm Create hunting rule
File size:	179'200 bytes
First seen:	2026-03-17 16:10:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4d1adb8c36a03a7a69c0e198ec96a536 (6 x AsyncRAT, 4 x XWorm, 4 x PureLogsStealer)
ssdeep	3072:Ua4hbLnUPwZLQ03C1m5FLiOAnqZcaw0aRHUGRLm2iUtG:ShE4lQ0y1dr0aRHUGBmEt
Threatray	48 similar samples on MalwareBazaar
TLSH	T1F0049F00F181D436F5B310B58AF69969962CBA100BA54DEFF7C809BE8F314D1BA35E27
TrID	22.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 22.7% (.EXE) Win64 Executable (generic) (6522/11/2) 17.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.7% (.EXE) Win32 Executable (generic) (4504/4/1) 7.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	abuse_ch
Tags:	exe xworm

Intelligence

File Origin

# of uploads :

# of downloads :

155

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

9e3fdb1daaa9146fa27e4f99d94f56be.exe

Verdict:

Malicious activity

Analysis date:

2026-03-17 16:15:51 UTC

Tags:

phishing amsi-bypass xworm

Link:

https://app.any.run/tasks/d3087ae7-bbb7-4ad4-84e4-37e8eccb482a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/57784/

Detection(s):

SecuriteInfo.com.Win32.Agent-BDOZ.93159122.UNOFFICIAL

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69b97d1093b644ca466afd28

Tags:

malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/68795c47a9aeb9e3208ca814fcef157c8e5f73464298e5eec4bb0ea32831baba

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-28T22:44:00Z UTC

Last seen:

2025-11-29T10:10:00Z UTC

Hits:

~10

Detections:

HEUR:Backdoor.MSIL.XClient.b HEUR:Trojan-PSW.Win32.PureLogs.gen Backdoor.MSIL.XWorm.b Backdoor.MSIL.Agent.sb PDM:Trojan.Win32.Generic PDM:Exploit.Win32.Generic HEUR:Backdoor.MSIL.XWorm.gen

Link:

https://opentip.kaspersky.com/68795c47a9aeb9e3208ca814fcef157c8e5f73464298e5eec4bb0ea32831baba/results?tab=lookup

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/26ea8f62-c264-4879-92cf-510565f7ad42

Result

Threat name:

XWorm

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1885018

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/68795c47a9aeb9e3208ca814fcef157c8e5f73464298e5eec4bb0ea32831baba

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

.Net Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/9e3fdb1daaa9146fa27e4f99d94f56be

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/68795c47a9aeb9e3208ca814fcef157c8e5f73464298e5eec4bb0ea32831baba/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/68795c47a9aeb9e3208ca814fcef157c8e5f73464298e5eec4bb0ea32831baba

Threat name:

Win32.Trojan.PureLogs

Status:

Malicious

First seen:

2025-11-28 17:47:37 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 36 (77.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nb4vyr5jv246giemvakpz3yvpshf642gikmol3wexmhkgkbrxk5a._file

Verdict:

malicious

Label(s):

xworm

XWorm

2852d54e19b288a571f4cac80210591d50b8cbc165fc99cf6134b26b95e7c407

XWorm

3bdb6d2cc2125ca6b5c61dbbee32b5b625d96378064df19c506ec04487834a96

XWorm

7f92ce6ddf632dd49b6052f77857bd03e7e00f89965d9d6648c60773847ba6df

XWorm

8986d305ceed84c8dbc430ae7caf31b645f22fe5c4c29bca869eaee9abc46585

XWorm

e6e706d5575672d029d9c816c360a0595ebcd4c81b044f81e1e520542c0bcfe7

XWorm

error

XWorm

+ 38 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm discovery rat trojan

Link:

https://tria.ge/reports/260317-tmp12shz2y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

System Location Discovery: System Language Discovery

Detect Xworm Payload

Xworm

Xworm family

Malware Config

C2 Extraction:

envio11.ddnsguru.com:4806

Unpacked files

SH256 hash:

68795c47a9aeb9e3208ca814fcef157c8e5f73464298e5eec4bb0ea32831baba

MD5 hash:

9e3fdb1daaa9146fa27e4f99d94f56be

SHA1 hash:

1b499b7b4ba7ed80695f2dd0fce8d94ebdc8e30e

Link:

https://www.unpac.me/results/63d1e53b-8eb0-40e2-ab2d-7d700e2b049c/

SH256 hash:

854163d20ad0d66ddcde28d9280848a363d5474afc67741bd6314f85f7c8d218

MD5 hash:

7dc58d60c7d5f6527fc2b657dc3dcd82

SHA1 hash:

e98b7a18f29e32a138d230878d63c4dbea21570e

Detections:

win_xworm_a0

win_xworm_w0

XWorm

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/63d1e53b-8eb0-40e2-ab2d-7d700e2b049c/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/68795c47a9ae/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/68795c47a9aeb9e3208ca814fcef157c8e5f73464298e5eec4bb0ea32831baba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/57784/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample