MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b3e0f224cba9c07d0ac6ef71325481a63e9d5fc0629cf64cb71cdeb041fc13c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 44 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b3e0f224cba9c07d0ac6ef71325481a63e9d5fc0629cf64cb71cdeb041fc13c
SHA3-384 hash: 12428554aa73d4420efa3a9a7d4ebc2d54acd3644c46a615695221617892f6973d89da34cfa48a098d9ca0e75b4f7a7b
SHA1 hash: 5596c1ca61fb30359a496021177af1ebc32cf2dd
MD5 hash: 4156f7e081aa9b4264bb1771d767a53b
humanhash: beryllium-maine-coffee-lion
File name:4156f7e081aa9b4264bb1771d767a53b.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:6'856'704 bytes
First seen:2025-10-04 04:20:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 196608:dLVvf/xhFP4yS860qc/LQbY8ZGdzOmNsnX6aD:fvR/P4yS8Kc/oY4rX
TLSH T1656633FBAC020E67F5A50DB25E31D1952B48ECC2D7818193B17C90E9AC738F392559EA
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
193.233.113.101:6000

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.233.113.101:6000 https://threatfox.abuse.ch/ioc/1607147/

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4156f7e081aa9b4264bb1771d767a53b.exe
Verdict:
Malicious activity
Analysis date:
2025-10-04 04:22:21 UTC
Tags:
ms-smartcard stealer github loader evasion auto-reg auto-startup telegram susp-powershell upx salatstealer golang remote xworm
Link:
https://app.any.run/tasks/f407f4b7-ea8e-4b0f-bc0f-a093feb4f9d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30108/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e0a0bdd707128ed1ec09a3
Tags:
asyncrat dropper shell remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
DNS request
Sending a UDP request
Connection attempt
Sending a custom TCP request
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt packed unsafe vbnet venomrat xworm
Link:
https://www.filescan.io/uploads/68e0a0b2c74bd2958b157d12/reports/43ef10ba-d39f-45fd-a7e8-15c51d35cfd7/overview
Verdict:
Malicious
Labled as:
Backdoor.Marte.VenomRAT.Generic
Link:
https://www.hybrid-analysis.com/sample/6b3e0f224cba9c07d0ac6ef71325481a63e9d5fc0629cf64cb71cdeb041fc13c
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-30T16:45:00Z UTC
Last seen:
2025-10-04T10:14:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/6b3e0f224cba9c07d0ac6ef71325481a63e9d5fc0629cf64cb71cdeb041fc13c/results?tab=lookup
Malware family:
ModernLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd77bb8f-6818-4750-a659-0e14db33f32a
Result
Threat name:
Salat Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1789113
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates multiple autostart registry keys
Disables UAC (registry)
Drops executable to a common third party application directory
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Powershell download and execute
Yara detected Salat Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1789113 Sample: Zf8CpsQcWg.exe Startdate: 04/10/2025 Architecture: WINDOWS Score: 100 83 release-assets.githubusercontent.com 2->83 85 raw.githubusercontent.com 2->85 87 2 other IPs or domains 2->87 117 Suricata IDS alerts for network traffic 2->117 119 Antivirus detection for URL or domain 2->119 121 Antivirus detection for dropped file 2->121 123 6 other signatures 2->123 9 Zf8CpsQcWg.exe 4 2->9         started        12 TaZD5kJitKdVp6U4qRVdLW.exe 1 2->12         started        14 2xNj9AOJlVkYjvXHCSNeOi.exe 2->14         started        16 6 other processes 2->16 signatures3 process4 file5 77 C:\Users\user\AppData\Local\Temp\shell.exe, PE32 9->77 dropped 79 C:\Users\user\AppData\Local\...\Updatex.exe, PE32 9->79 dropped 81 C:\Users\user\AppData\...\Zf8CpsQcWg.exe.log, CSV 9->81 dropped 19 Updatex.exe 6 12 9->19         started        24 shell.exe 2 4 9->24         started        26 TaZD5kJitKdVp6U4qRVdLW.exe 12->26         started        28 2xNj9AOJlVkYjvXHCSNeOi.exe 14->28         started        103 Antivirus detection for dropped file 16->103 105 Multi AV Scanner detection for dropped file 16->105 30 0dSQXDLEm12EBcIneerD.exe 16->30         started        32 HSZcqtr963KhWQg4A6K.exe 16->32         started        signatures6 process7 dnsIp8 89 8.8.8.8, 443, 53186, 59011 GOOGLEUS United States 19->89 55 C:\Users\user\AppData\Local\...\UH4au31Y2.exe, PE32 19->55 dropped 57 C:\Users\user\...\sExdVIi6epraTlTtI4Ed.exe, PE32 19->57 dropped 59 C:\Users\user\AppData\Local\Comms\shell.exe, PE32 19->59 dropped 67 3 other malicious files 19->67 dropped 125 Antivirus detection for dropped file 19->125 127 Multi AV Scanner detection for dropped file 19->127 129 Creates multiple autostart registry keys 19->129 131 Drops executable to a common third party application directory 19->131 34 sExdVIi6epraTlTtI4Ed.exe 19->34         started        91 dns.google 8.8.4.4, 443, 53185, 53187 GOOGLEUS United States 24->91 93 172.67.146.62, 443, 59014, 59015 CLOUDFLARENETUS United States 24->93 61 C:\...\0dSQXDLEm12EBcIneerD.exe, PE32 24->61 dropped 63 C:\...\TaZD5kJitKdVp6U4qRVdLW.exe, PE32 24->63 dropped 133 Found many strings related to Crypto-Wallets (likely being stolen) 24->133 37 TaZD5kJitKdVp6U4qRVdLW.exe 24->37         started        95 104.21.81.197, 443, 53188, 62919 CLOUDFLARENETUS United States 26->95 39 powershell.exe 26->39         started        65 C:\...\2xNj9AOJlVkYjvXHCSNeOi.exe, PE32 28->65 dropped 135 Tries to harvest and steal browser information (history, passwords, etc) 28->135 137 Tries to steal Crypto Currency Wallets 28->137 43 powershell.exe 28->43         started        45 2xNj9AOJlVkYjvXHCSNeOi.exe 28->45         started        file9 signatures10 process11 dnsIp12 107 Antivirus detection for dropped file 34->107 109 Multi AV Scanner detection for dropped file 34->109 97 github.com 140.82.114.3, 443, 49731, 49735 GITHUBUS United States 39->97 99 release-assets.githubusercontent.com 185.199.109.133, 443, 49732 FASTLYUS Netherlands 39->99 101 raw.githubusercontent.com 185.199.111.133, 443, 49728 FASTLYUS Netherlands 39->101 69 C:\Users\user\AppData\Local\Temp\ffmpeg.exe, PE32+ 39->69 dropped 71 C:\Users\user\AppData\...\AxMSTSCLib.dll, PE32 39->71 dropped 73 C:\Users\user\AppData\Local\Temp\7z.exe, PE32+ 39->73 dropped 75 C:\Users\user\AppData\Local\Temp\7z.dll, PE32+ 39->75 dropped 111 Disables UAC (registry) 39->111 113 Loading BitLocker PowerShell Module 39->113 115 Powershell drops PE file 39->115 47 conhost.exe 39->47         started        49 ReAgentc.exe 39->49         started        51 conhost.exe 43->51         started        53 ReAgentc.exe 43->53         started        file13 signatures14 process15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6b3e0f224cba9c07d0ac6ef71325481a63e9d5fc0629cf64cb71cdeb041fc13c
Verdict:
inconclusive
YARA:
11 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.21 Win 32 Exe x86
Link:
https://app.malva.re/file/4156f7e081aa9b4264bb1771d767a53b
Detection:
shortloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6b3e0f224cba9c07d0ac6ef71325481a63e9d5fc0629cf64cb71cdeb041fc13c/
Threat name:
Win32.Backdoor.MarteVenomRAT
Create hunting rule
Status:
Malicious
First seen:
2025-09-30 23:31:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
30 of 37 (81.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nm7a6ismxkoapufmn33rgjkidjr6tvp4ayu46zglohg6wba7ye6a._file
Verdict:
malicious
Label(s):
unc_loader_063
Create hunting rule
salatstealer
Create hunting rule
Similar samples:
error
XWorm
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer family:xworm credential_access defense_evasion discovery rat spyware stealer trojan upx
Link:
https://tria.ge/reports/251004-eymmqshp9w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Badlisted process makes network request
Downloads MZ/PE file
Detect SalatStealer payload
Detect Xworm Payload
Salatstealer family
UAC bypass
Xworm
Xworm family
salatstealer
Malware Config
C2 Extraction:
193.233.113.101:6000
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f7c571ce-3c2c-4788-a685-2e385ec26870
Unpacked files
SH256 hash:
6b3e0f224cba9c07d0ac6ef71325481a63e9d5fc0629cf64cb71cdeb041fc13c
MD5 hash:
4156f7e081aa9b4264bb1771d767a53b
SHA1 hash:
5596c1ca61fb30359a496021177af1ebc32cf2dd
Link:
https://www.unpac.me/results/185d0468-5c81-4135-8b98-111e7bd5d023/
SH256 hash:
7fea084834a39580ea261804698e191ba48568e98cbddde033242228320dc2bd
MD5 hash:
7789dbdf700737e8c591c6221f5ecdff
SHA1 hash:
490e640e83ac39bde938002bcee910ee3f1a28dc
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Link:
https://www.unpac.me/results/185d0468-5c81-4135-8b98-111e7bd5d023/
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6b3e0f224cba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b3e0f224cba9c07d0ac6ef71325481a63e9d5fc0629cf64cb71cdeb041fc13c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:Heuristics_ChromeABE
Create hunting rule
Author:Still
Description:attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Multi_Generic_Threat_19854dc2
Create hunting rule
Author:Elastic Security
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Rooter
Create hunting rule
Author:Seth Hardy
Description:Rooter
Rule name:RooterStrings
Create hunting rule
Author:Seth Hardy
Description:Rooter Identifying Strings
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/30108/

Comments