MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b2ef374ac650c3624e17bef81fa74572d4cf67bf815a8927447aba4c5da9d00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b2ef374ac650c3624e17bef81fa74572d4cf67bf815a8927447aba4c5da9d00
SHA3-384 hash: 123c9a1e43c8cc0ff91d47ae7b37a3f1057e46bce49803b4ccc9d1383a4fb4fe6e7e158188d55ef9721826363b756a0e
SHA1 hash: 5f2ab59e1de1520e6ef37c4a709ecb3ee1e68034
MD5 hash: 54a0f89133527f5868085e5cfe48f10c
humanhash: delaware-arkansas-eight-sad
File name:Request For QuoteNr. 38530.bat.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:560'128 bytes
First seen:2025-09-18 05:25:19 UTC
Last seen:2025-09-18 12:55:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:GiWhEAEPSmufxGr/9rXfYk8BFgfFhzk4okiYtetkaUebSkyW:EEAEavy/9b1Ug9hzk4NiY9qy
Threatray 128 similar samples on MalwareBazaar
TLSH T118C40159335EED03C2A50AF04870D3B603789E4EF815D2539EE9BDFFBC267912909296
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
185.157.163.140:60875

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.157.163.140:60875 https://threatfox.abuse.ch/ioc/1593805/

Intelligence

File Origin
# of uploads :
3
# of downloads :
126
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2fdc7992ceb441d6b7665d94589e6a0197b84e27d3bd84000f57ae4d75d650ce.zip
Verdict:
Malicious activity
Analysis date:
2025-09-18 04:21:26 UTC
Tags:
arch-exec auto-sch-xml pastebin
Link:
https://app.any.run/tasks/40ca2420-e3bd-4bdd-8371-ef87028e59b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28031/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cb88c62432032546475d6e
Tags:
shell spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68cb97eac62f6996238afec2/reports/7d713134-a550-4690-bde1-f904776cfec3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6b2ef374ac650c3624e17bef81fa74572d4cf67bf815a8927447aba4c5da9d00
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-18T00:00:00Z UTC
Last seen:
2025-09-18T00:00:00Z UTC
Hits:
~10000
Link:
https://opentip.kaspersky.com/6b2ef374ac650c3624e17bef81fa74572d4cf67bf815a8927447aba4c5da9d00/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50a13945-620d-4477-9b34-eed2fccbedce
Result
Threat name:
AsyncRAT, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1779695
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1779695 Sample: Request For QuoteNr. 38530.... Startdate: 18/09/2025 Architecture: WINDOWS Score: 100 73 pastebin.com 2->73 75 beacons.gvt2.com 2->75 77 2 other IPs or domains 2->77 99 Suricata IDS alerts for network traffic 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 Antivirus / Scanner detection for submitted sample 2->103 107 13 other signatures 2->107 9 Request For QuoteNr. 38530.bat.exe 7 2->9         started        13 qvgPaKVyPxt.exe 2->13         started        15 msedge.exe 2->15         started        18 2 other processes 2->18 signatures3 105 Connects to a pastebin service (likely for C&C) 73->105 process4 dnsIp5 65 C:\Users\user\AppData\...\qvgPaKVyPxt.exe, PE32 9->65 dropped 67 C:\Users\...\qvgPaKVyPxt.exe:Zone.Identifier, ASCII 9->67 dropped 69 C:\Users\user\AppData\Local\...\tmpB632.tmp, XML 9->69 dropped 71 C:\...\Request For QuoteNr. 38530.bat.exe.log, ASCII 9->71 dropped 111 Adds a directory exclusion to Windows Defender 9->111 113 Injects a PE file into a foreign processes 9->113 20 Request For QuoteNr. 38530.bat.exe 17 4 9->20         started        24 powershell.exe 23 9->24         started        27 powershell.exe 23 9->27         started        29 schtasks.exe 1 9->29         started        115 Multi AV Scanner detection for dropped file 13->115 31 schtasks.exe 13->31         started        35 2 other processes 13->35 97 239.255.255.250 unknown Reserved 15->97 117 Maps a DLL or memory area into another process 15->117 33 msedge.exe 15->33         started        37 6 other processes 15->37 39 2 other processes 18->39 file6 signatures7 process8 dnsIp9 79 185.157.163.140, 49716, 60875 OBE-EUROPEObenetworkEuropeSE Sweden 20->79 81 pastebin.com 104.20.29.150, 443, 49714 CLOUDFLARENETUS United States 20->81 63 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 20->63 dropped 41 chrome.exe 20->41         started        44 msedge.exe 20->44         started        109 Loading BitLocker PowerShell Module 24->109 46 conhost.exe 24->46         started        48 WmiPrvSE.exe 24->48         started        50 conhost.exe 27->50         started        52 conhost.exe 29->52         started        54 conhost.exe 31->54         started        83 s-part-0041.t-0009.t-msedge.net 13.107.246.69, 443, 49754, 49764 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 33->83 85 ln-0007.ln-msedge.net 150.171.22.17, 443, 49739 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 33->85 87 32 other IPs or domains 33->87 file10 signatures11 process12 dnsIp13 95 192.168.2.4, 443, 49708, 49714 unknown unknown 41->95 56 chrome.exe 41->56         started        59 chrome.exe 41->59         started        61 msedge.exe 44->61         started        process14 dnsIp15 89 plus.l.google.com 142.250.189.14, 443, 49721, 49736 GOOGLEUS United States 56->89 91 www.google.com 172.217.12.132, 443, 49725, 49728 GOOGLEUS United States 56->91 93 7 other IPs or domains 56->93
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6b2ef374ac650c3624e17bef81fa74572d4cf67bf815a8927447aba4c5da9d00
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.16 Win 32 Exe x86
Link:
https://app.malva.re/file/54a0f89133527f5868085e5cfe48f10c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b2ef374ac650c3624e17bef81fa74572d4cf67bf815a8927447aba4c5da9d00/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2025-09-18 03:01:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nmxpg5fmmugdmjhbppxyd6tuk4wuz5t37ak2retui6v2jro2tuaa._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
008e92b1ea12b53b06531097a36a5582e0856cd5f03cc188661bd40ea99dae1f
XWorm
10898c09830634012bc320ad02afc6120f285bada5b22db95687d0796e3d86d6
XWorm
5cb3bf5f0c0abd19e74b72ed4560f7a5295db8e0d2cbb705976d1dd8e1f93fe0
XWorm
6b2ef374ac650c3624e17bef81fa74572d4cf67bf815a8927447aba4c5da9d00
XWorm
eef3e30fb0a0404549b189ff4f5a799694b88d3f3b608d422fb2f93559804b21
XWorm
error
XWorm
+ 118 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat trojan
Link:
https://tria.ge/reports/250918-f4ttnsaq8w/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/19052995-e59a-4ebd-b005-1b78092cab44
Unpacked files
SH256 hash:
6b2ef374ac650c3624e17bef81fa74572d4cf67bf815a8927447aba4c5da9d00
MD5 hash:
54a0f89133527f5868085e5cfe48f10c
SHA1 hash:
5f2ab59e1de1520e6ef37c4a709ecb3ee1e68034
Link:
https://www.unpac.me/results/9fa62323-4709-4792-b381-5cfa6ceb4762/
SH256 hash:
1041b538ccbc7d66e59247ef7551cde9b6c282843541585e9190a8e2e3943b12
MD5 hash:
e870d1e8f3791ccc141f85f40fd2972b
SHA1 hash:
150919ee289cffa6feb40ab8261f620dd7e26aac
Link:
https://www.unpac.me/results/9fa62323-4709-4792-b381-5cfa6ceb4762/
SH256 hash:
bac7fd703c3938c0df9419c9d8e40ef79d749eba5ab3150da2e261d55f8fa19f
MD5 hash:
05b05e48a3ec78a622ddf0b68e683f15
SHA1 hash:
691565ab26b76a4471bf8fd3210468814fc887a1
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/9fa62323-4709-4792-b381-5cfa6ceb4762/
SH256 hash:
77fa928f8d5c5964649b49c94bf7a17dd5c9ca0efc5162e36c736b9d4ef433b9
MD5 hash:
ee25c4ef7ceb053eb9c1c8238f2f6f81
SHA1 hash:
c11a18fd19e768f199e9419f16fd2394a05417eb
Link:
https://www.unpac.me/results/9fa62323-4709-4792-b381-5cfa6ceb4762/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6b2ef374ac65/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b2ef374ac650c3624e17bef81fa74572d4cf67bf815a8927447aba4c5da9d00

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Windows_Trojan_XWorm_b7d6eaa8
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/28031/

Comments