MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68a367884639037f1e1e7619df3ae3fcc6177034e8bd3d0da2f62383762b3dc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68a367884639037f1e1e7619df3ae3fcc6177034e8bd3d0da2f62383762b3dc8
SHA3-384 hash: 9ef157db957cc7c3b32856498ce69542e9e11783cc1ed560dc167943255e28e3bc8be8dc3773945c5195c607ed57197f
SHA1 hash: 097a5601056afd48bdb3db24d8a7c773fc2afc87
MD5 hash: d3c223256f7a719ecf40f5054e6ecdef
humanhash: coffee-muppet-virginia-helium
File name:1y96g7.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:2'632'704 bytes
First seen:2025-09-07 01:35:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:EowDXBJuTpc8iYM57G+vSVMZ5i6BEC8ysTVeuK+hl:EowDRYTFMYqZwhC2Y+
Threatray 3'693 similar samples on MalwareBazaar
TLSH T1DDC512C137CE5AF2F3B71DF741381932A4FAA970012E5E9716A42C89861B3F996106F7
TrID 63.7% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
17.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.3% (.EXE) InstallShield setup (43053/19/16)
2.5% (.EXE) Win64 Executable (generic) (10522/11/4)
1.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
132.145.75.68:1878

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
132.145.75.68:1878 https://threatfox.abuse.ch/ioc/1582855/

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-09-07 01:14:12 UTC
Tags:
lumma stealer auto redline amadey botnet loader arch-exec auto-reg themida rdp stealc autoit auto-sch anti-evasion purelogs auto-startup vidar telegram miner winring0-sys vuln-driver silentcryptominer gcleaner ddr
Link:
https://app.any.run/tasks/b7a61abd-ec94-41e9-a2a8-68432fa515b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26063/
Detection(s):
MiscreantPunch.SingleXOR.EXE.217.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bce167eb163e0ec1852ea8
Tags:
emotet cobalt delphi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Running batch commands
Launching a process
Sending a custom TCP request
Creating a service
Launching the process to interact with network services
Launching a service
Restart of the analyzed sample
Сreating synchronization primitives
Searching for synchronization primitives
Creating a process from a recently created file
Creating a file in the %temp% directory
Launching the default Windows debugger (dwwin.exe)
Creating a file
Creating a window
Enabling autorun for a service
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context amadey anti-debug anti-vm base64 crypt fingerprint lolbin netsh nircmd obfuscated obfuscated obfuscated overlay packed reconnaissance unsafe wmic xor-pe
Link:
https://www.filescan.io/uploads/68bce17120d0ee406d9871e9/reports/d2d130e7-2d6e-4315-b889-f1027fccb01a/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/68a367884639037f1e1e7619df3ae3fcc6177034e8bd3d0da2f62383762b3dc8
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-06T22:17:00Z UTC
Last seen:
2025-09-06T22:17:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/68a367884639037f1e1e7619df3ae3fcc6177034e8bd3d0da2f62383762b3dc8/results?tab=lookup
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cb7973a4-62b5-4351-b779-5178cd406375
Result
Threat name:
Amadey, LummaC Stealer, Vidar, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1772505
Signature
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates multiple autostart registry keys
Drops executables to the windows directory (C:\Windows) and starts them
Drops password protected ZIP file
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Reads the Security eventlog
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PUA - NSudo Execution
Sigma detected: Suspicious New Service Creation
Suricata IDS alerts for network traffic
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1772505 Sample: 1y96g7.exe Startdate: 07/09/2025 Architecture: WINDOWS Score: 100 106 phoenix-brands.dev 2->106 108 marvelvod.com 2->108 110 21 other IPs or domains 2->110 118 Suricata IDS alerts for network traffic 2->118 120 Found malware configuration 2->120 122 Antivirus / Scanner detection for submitted sample 2->122 124 18 other signatures 2->124 11 1y96g7.exe 4 2->11         started        14 1y96g7.exe 2 1 2->14         started        17 cmd.exe 2->17         started        19 8 other processes 2->19 signatures3 process4 file5 96 C:\Windows\winloghelper.exe, PE32 11->96 dropped 98 C:\Windows\systemhelper.exe, PE32 11->98 dropped 100 C:\Users\user\...\WindowsLogsHelper.xml, XML 11->100 dropped 102 C:\Users\user\AppData\...\1y96g7.exe.log, ASCII 11->102 dropped 21 cmd.exe 11->21         started        23 cmd.exe 11->23         started        26 cmd.exe 1 11->26         started        36 9 other processes 11->36 104 C:\Windows\63mxa2Nc.exe, PE32 14->104 dropped 152 Drops executables to the windows directory (C:\Windows) and starts them 14->152 154 Reads the Security eventlog 14->154 156 Reads the System eventlog 14->156 28 63mxa2Nc.exe 14->28         started        38 3 other processes 14->38 30 winloghelper.exe 17->30         started        32 conhost.exe 17->32         started        158 Changes security center settings (notifications, updates, antivirus, firewall) 19->158 160 Uses cmd line tools excessively to alter registry or file data 19->160 34 WerFault.exe 19->34         started        signatures6 process7 signatures8 40 winloghelper.exe 21->40         started        45 conhost.exe 21->45         started        126 Drops executables to the windows directory (C:\Windows) and starts them 23->126 47 systemhelper.exe 23->47         started        49 conhost.exe 23->49         started        128 Uses cmd line tools excessively to alter registry or file data 26->128 130 Bypasses PowerShell execution policy 26->130 132 Uses schtasks.exe or at.exe to add and modify task schedules 26->132 134 Uses the nircmd tool (NirSoft) 26->134 55 2 other processes 26->55 136 Multi AV Scanner detection for dropped file 28->136 138 Contains functionality to start a terminal service 28->138 140 Contains functionality to inject code into remote processes 28->140 51 WerFault.exe 28->51         started        53 Conhost.exe 32->53         started        57 16 other processes 36->57 59 6 other processes 38->59 process9 dnsIp10 112 94.154.35.25, 49722, 49727, 49736 SELECTELRU Ukraine 40->112 114 178.16.54.200, 49731, 49738, 49744 DUSNET-ASDE Germany 40->114 116 www.google.com 40->116 78 C:\Users\user\AppData\Local\...\ojjvpn1.exe, PE32 40->78 dropped 80 C:\Users\user\AppData\Local\...\1YicmO1.exe, PE32+ 40->80 dropped 82 C:\Users\user\AppData\Local\...\PsCMIRi.exe, PE32 40->82 dropped 92 26 other malicious files 40->92 dropped 142 Multi AV Scanner detection for dropped file 40->142 144 Contains functionality to start a terminal service 40->144 146 Creates multiple autostart registry keys 40->146 84 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 47->84 dropped 86 C:\Users\user\AppData\Local\...\cecho.exe, PE32 47->86 dropped 88 C:\Users\user\AppData\Local\...88SudoLG.exe, PE32+ 47->88 dropped 94 2 other malicious files 47->94 dropped 61 cmd.exe 47->61         started        90 C:\ProgramData\Microsoft\...\Report.wer, Unicode 51->90 dropped 64 net1.exe 1 57->64         started        file11 signatures12 process13 signatures14 148 Uses cmd line tools excessively to alter registry or file data 61->148 150 Drops executables to the windows directory (C:\Windows) and starts them 61->150 66 cmd.exe 61->66         started        68 conhost.exe 61->68         started        70 nircmd.exe 61->70         started        72 10 other processes 61->72 process15 process16 74 tasklist.exe 66->74         started        76 Conhost.exe 66->76         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/68a367884639037f1e1e7619df3ae3fcc6177034e8bd3d0da2f62383762b3dc8
Verdict:
inconclusive
YARA:
12 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.47 Win 32 Exe x86
Link:
https://app.malva.re/file/d3c223256f7a719ecf40f5054e6ecdef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68a367884639037f1e1e7619df3ae3fcc6177034e8bd3d0da2f62383762b3dc8/
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-09-07 01:14:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
71
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ncrwpccghebx6hq6oym56oxd7tdbo4bu5c6t2dnc6yryg5rlhxea._file
Verdict:
malicious
Label(s):
unc_loader_051
Create hunting rule
amadey
Create hunting rule
Similar samples:
4b21f1e31ffadc5abe05030450d8dddc6375b86435b4408b6b816d33963631b0
XWorm
6e0b04fbb5e05635c097cbecd9426e967c9ce1a79b1d60f0e6526048efc7da91
XWorm
724598c58e9e3792843ee3fad45d0cbabf3a04d71041e0257311c80dfd587a12
XWorm
ba9dfea27d075639e627720e191c5f0dbfc689f8ed55213a4179b7b7bb4658d2
XWorm
bd62b3f937dbf381f63a8da4b39442285ad13702fe2ac855dab61d3b7a0f23ec
XWorm
error
XWorm
+ 3'683 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:gcleaner family:lumma family:rhadamanthys family:stealc family:vidar family:xworm botnet:fbf543 botnet:logsdillercloud defense_evasion discovery execution loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250907-bzz3nsaj8v/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Runs net.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Power Settings
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Modifies file permissions
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Detect Vidar Stealer
Detect Xworm Payload
Detects Rhadamanthys Payload
Disables service(s)
GCleaner
Gcleaner family
Lumma Stealer, LummaC
Lumma family
Process spawned unexpected child process
Rhadamanthys
Rhadamanthys family
Stealc
Stealc family
Vidar
Vidar family
Xworm
Xworm family
Malware Config
C2 Extraction:
http://94.154.35.25
https://t.me/romalabs
https://marvelvod.com/uqia
https://dubznetwork.com/wqii
https://digitbasket.com/pqox
https://voando26.com/iwnn
https://iaed.link/ndbh
https://pyscalp.com/iqop
https://lzh.fr/mnsn
https://streamin.style/iqzb
https://phoenix-brands.dev/qyzb
185.156.73.98
45.91.200.135
http://starshipcrown.shop
cx3fbungd.localto.net:1878
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d479a630-6b0e-4298-8e33-b43b6285fefe
Unpacked files
SH256 hash:
68a367884639037f1e1e7619df3ae3fcc6177034e8bd3d0da2f62383762b3dc8
MD5 hash:
d3c223256f7a719ecf40f5054e6ecdef
SHA1 hash:
097a5601056afd48bdb3db24d8a7c773fc2afc87
Detections:
SUSP_OBF_NET_Eazfuscator_String_Encryption_Jan24
Create hunting rule
SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Link:
https://www.unpac.me/results/972c0f7c-4c01-4138-b979-e124d713b2c6/
SH256 hash:
c96e043205fdc0e030a86c139d0603e1485ade3630e1e9507254b5b453556b0f
MD5 hash:
b80c84bb522324b2314aa67aa683fbd8
SHA1 hash:
80b36635aa6c2989372667f52712a7fe64809b50
Link:
https://www.unpac.me/results/972c0f7c-4c01-4138-b979-e124d713b2c6/
SH256 hash:
9441d9565b03bc4ef06b5d39b560f2fbc52d164700d7ae5d38b74e0abd7fb63c
MD5 hash:
9aba1b9fb5b1f9bb3bc87745b1a039ef
SHA1 hash:
3de8b263e96d6ca9244cbe28dd20fbddbe8df0d2
Link:
https://www.unpac.me/results/972c0f7c-4c01-4138-b979-e124d713b2c6/
SH256 hash:
07a35663e91a60603e60c8a6614d7de4afe498e841740d34992fa6c655a0131a
MD5 hash:
89b7e0d69f9002814472edbc44da0e7c
SHA1 hash:
6296b296eeeda2c5d994135e05e32bd953191b31
Link:
https://www.unpac.me/results/972c0f7c-4c01-4138-b979-e124d713b2c6/
SH256 hash:
5153b60b002a0b82848661b6dc00df9e184ef2a3f800aac3e90f2f868b403c46
MD5 hash:
f99323ccbdf71989e975c21ef85ebe10
SHA1 hash:
bd71d9c530579b5944bfdd1a6a3b1b4f52f4eab3
Link:
https://www.unpac.me/results/972c0f7c-4c01-4138-b979-e124d713b2c6/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/68a367884639/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68a367884639037f1e1e7619df3ae3fcc6177034e8bd3d0da2f62383762b3dc8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:dcrat_
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked dcrat malware samples.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/26063/

Comments