MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68af66991e125976da13a5f0ea7bb2c47c255ec742e848064a9486302bd9babe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68af66991e125976da13a5f0ea7bb2c47c255ec742e848064a9486302bd9babe
SHA3-384 hash: 8a09a2e2f80732814d670a20bd9f303d6e4146970e1e9e29db6f9506842edeee773f0da4b47f2c01a7ba26fbac7396a8
SHA1 hash: a53108b4de43ed20135603b63c9ea14a6f8fb60f
MD5 hash: 9d745ba6fb3fdc17d775ff38a9dcfa88
humanhash: bulldog-lithium-ceiling-north
File name:payment. 001 224326.pdf.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:820'736 bytes
First seen:2026-06-04 05:42:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'013 x AgentTesla, 19'917 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 24576:ZxQ/DFIF72cQXgRspjTbldvOLcIy7jNnSI:+aFicQwCddvO6PNSI
Threatray 275 similar samples on MalwareBazaar
TLSH T188051258267AC617C55297780E71F2F54BAC5EEDE922D2079FECBDDBB966B000C04283
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:bat exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/b8a5f275-198c-4478-8f80-4dd6225a890d/
Malware family:
n/a
ID:
1
File name:
_68af66991e125976da13a5f0ea7bb2c47c255ec742e848064a9486302bd9babe.exe
Verdict:
Malicious activity
Analysis date:
2026-06-04 05:44:28 UTC
Tags:
auto-reg auto-startup
Link:
https://app.any.run/tasks/54629fe5-ade3-4fec-be1d-5ad455bbf030

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68932/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen5.33381.28649.5357.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a21104ff8676ad4d360e915
Tags:
autorun virus micro sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Connection attempt
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context crypt masquerade packed vbnet
Link:
https://www.filescan.io/uploads/6a21104a099ef368af1c8aac/reports/6cf9e9ae-d522-409b-ae8e-821d1141aa54/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/68af66991e125976da13a5f0ea7bb2c47c255ec742e848064a9486302bd9babe
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-12T03:11:00Z UTC
Last seen:
2026-05-23T06:21:00Z UTC
Hits:
~1000
Detections:
Backdoor.Agent.TCP.C&C Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb HEUR:Trojan.MSIL.Injuke.gen PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/68af66991e125976da13a5f0ea7bb2c47c255ec742e848064a9486302bd9babe/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/37e6bbe3-834e-4e12-9cb7-9757c497f719
Result
Threat name:
Remcos, SugarDump, XWorm
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1922638
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected malicious Powershell script
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Double Extension Files
Sigma detected: Suspicious Executable File Creation
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected SugarDump
Yara detected UAC Bypass using CMSTP
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1922638 Sample: payment. 001 224326.pdf.bat.exe Startdate: 04/06/2026 Architecture: WINDOWS Score: 100 96 keyauth.win 2->96 98 geoplugin.net 2->98 112 Suricata IDS alerts for network traffic 2->112 114 Found malware configuration 2->114 116 Malicious sample detected (through community Yara rule) 2->116 118 28 other signatures 2->118 12 payment. 001 224326.pdf.bat.exe 1 7 2->12         started        16 powershell.exe 2->16         started        18 powershell.exe 2->18         started        20 3 other processes 2->20 signatures3 process4 file5 86 C:\Users\user\AppData\...\rxGwUqPiWTr.exe, PE32 12->86 dropped 88 C:\Users\...\rxGwUqPiWTr.exe:Zone.Identifier, ASCII 12->88 dropped 90 C:\Users\user\AppData\...\x0sdouwh2jv.ps1, ASCII 12->90 dropped 92 C:\...\payment. 001 224326.pdf.bat.exe.log, ASCII 12->92 dropped 144 Creates autostart registry keys with suspicious values (likely registry only malware) 12->144 146 Creates multiple autostart registry keys 12->146 148 Creates an autostart registry key pointing to binary in C:\Windows 12->148 152 2 other signatures 12->152 22 payment. 001 224326.pdf.bat.exe 4 8 12->22         started        26 powershell.exe 23 12->26         started        29 payment. 001 224326.pdf.bat.exe 12->29         started        31 rxGwUqPiWTr.exe 16->31         started        33 conhost.exe 16->33         started        35 rxGwUqPiWTr.exe 18->35         started        37 conhost.exe 18->37         started        150 Detected Remcos RAT 20->150 signatures6 process7 dnsIp8 100 155.103.71.146, 49688, 49691, 776 WHITELABELUS Turkey 22->100 76 C:\Users\user\AppData\Roaming\system32.exe, PE32 22->76 dropped 78 C:\Users\user\AppData\Local\Temp\uluvjp.exe, PE32 22->78 dropped 39 uluvjp.exe 5 4 22->39         started        43 csc.exe 22->43         started        45 payment. 001 224326.pdf.bat.exe 22->45         started        138 Loading BitLocker PowerShell Module 26->138 47 conhost.exe 26->47         started        140 Multi AV Scanner detection for dropped file 31->140 142 Injects a PE file into a foreign processes 31->142 49 rxGwUqPiWTr.exe 31->49         started        51 rxGwUqPiWTr.exe 35->51         started        file9 signatures10 process11 file12 80 C:\Users\user\AppData\Local\...\windows32.exe, PE32 39->80 dropped 82 C:\Users\user\AppData\Local\...\install.vbs, data 39->82 dropped 130 Antivirus detection for dropped file 39->130 132 Multi AV Scanner detection for dropped file 39->132 134 Detected Remcos RAT 39->134 136 6 other signatures 39->136 53 wscript.exe 1 39->53         started        84 C:\Users\...\payment. 001 224326.pdf.bat.exe, PE32 43->84 dropped 56 conhost.exe 43->56         started        58 cvtres.exe 43->58         started        signatures13 process14 signatures15 120 Windows Scripting host queries suspicious COM object (likely to drop second stage) 53->120 122 WScript reads language and country specific registry keys (likely country aware script) 53->122 60 cmd.exe 53->60         started        process16 process17 62 windows32.exe 60->62         started        67 conhost.exe 60->67         started        dnsIp18 102 geoplugin.net 178.237.33.50 ATOM86-ASATOM86NL Netherlands 62->102 94 C:\ProgramData\windows32\logs.dat, data 62->94 dropped 104 Antivirus detection for dropped file 62->104 106 Multi AV Scanner detection for dropped file 62->106 108 Detected Remcos RAT 62->108 110 2 other signatures 62->110 69 windows32.exe 62->69         started        72 windows32.exe 62->72         started        74 windows32.exe 62->74         started        file19 signatures20 process21 signatures22 124 Tries to steal Instant Messenger accounts or passwords 69->124 126 Tries to steal Mail credentials (via file / registry access) 69->126 128 Tries to harvest and steal browser information (history, passwords, etc) 72->128
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/68af66991e125976da13a5f0ea7bb2c47c255ec742e848064a9486302bd9babe
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68af66991e125976da13a5f0ea7bb2c47c255ec742e848064a9486302bd9babe/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/68af66991e125976da13a5f0ea7bb2c47c255ec742e848064a9486302bd9babe
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2026-05-12 06:18:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ncxwngi6cjmxnwqtuxyou65syr6ckxwhilueqbskssddak6zxk7a._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
53c80d00f49f5fb19370501cdcf199668440c516390c96861a996ece6eeb46cf
XWorm
68af66991e125976da13a5f0ea7bb2c47c255ec742e848064a9486302bd9babe
XWorm
68fa0dd6b006ddf41bfd6caee99a66506b5b56c1c86df77a7bacc761e6b1aa82
XWorm
e18128d6e9657ce06424fbdb8af5cc6b23bbeda33fdbc13762318d11b24a22f4
XWorm
e8e458a7015285fb6ea40b73813a1a724c131e7bad18cee5ceca6e4751c617cc
XWorm
error
XWorm
f7352bc1213a3464d7abb529acfdfb8a6e272e77a8e8f88236ca70192635d02d
XWorm
+ 265 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm collection discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/260604-gd99eaas6y/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Detect Xworm Payload
Family: Xworm
Unpacked files
SH256 hash:
68af66991e125976da13a5f0ea7bb2c47c255ec742e848064a9486302bd9babe
MD5 hash:
9d745ba6fb3fdc17d775ff38a9dcfa88
SHA1 hash:
a53108b4de43ed20135603b63c9ea14a6f8fb60f
Link:
https://www.unpac.me/results/2c4150e5-65b5-4da7-a3a3-bcdd924021cc/
SH256 hash:
5cd363fc5958bf51be0520e2ae4c9640b3da562a654a961951e5de07b2619a72
MD5 hash:
d4446718e1fac3191203d74b0a2030b0
SHA1 hash:
328b1a587e88dc48315fd70bc06d3953dc2dd4f8
Link:
https://www.unpac.me/results/2c4150e5-65b5-4da7-a3a3-bcdd924021cc/
SH256 hash:
b78d43f67482d0d5c4c1b18e21df6a96b97a2f094b90303c923aa32c5faf33b5
MD5 hash:
88d3fb2b76ba96f2c18837417e7a2953
SHA1 hash:
9ee3ec163baa7ae1e080c5967ffe40c9ffc17193
Link:
https://www.unpac.me/results/2c4150e5-65b5-4da7-a3a3-bcdd924021cc/
SH256 hash:
cf5dafb0fd320378be54ed47d552dd872b7b343994ddba51e3a1cd2b30d176d3
MD5 hash:
d6e222077074b587ef0fb07636e43284
SHA1 hash:
ddcb6634e0e88f4b9ce66562d951e608a8d843cf
Link:
https://www.unpac.me/results/2c4150e5-65b5-4da7-a3a3-bcdd924021cc/
SH256 hash:
68af66991e125976da13a5f0ea7bb2c47c255ec742e848064a9486302bd9babe
MD5 hash:
9d745ba6fb3fdc17d775ff38a9dcfa88
SHA1 hash:
a53108b4de43ed20135603b63c9ea14a6f8fb60f
Link:
https://www.unpac.me/results/2c4150e5-65b5-4da7-a3a3-bcdd924021cc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68af66991e125976da13a5f0ea7bb2c47c255ec742e848064a9486302bd9babe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/68932/

Comments