MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6de943d7dac05c1415b6a760d9398ae5071b63e43293a634dc6c3014e0025697. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6de943d7dac05c1415b6a760d9398ae5071b63e43293a634dc6c3014e0025697
SHA3-384 hash: 1173984b2f81f7e2b15f30cf2e517f7488080a5a9390cec2b3a130d5e9da67adebe13b8bdd162355d00cd4a953e565f8
SHA1 hash: 3123ec626f97ec55d19cdc697d68ff34901b03c1
MD5 hash: 0303d8146904a1488d15f5ea249934e6
humanhash: fanta-venus-oscar-quiet
File name:0303d8146904a1488d15f5ea249934e6.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:1'155'584 bytes
First seen:2025-04-29 05:45:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 130d5621ef2323889c6e1ed2746329fe (22 x LummaStealer, 4 x Vidar, 2 x LockBit)
ssdeep 24576:Ghu8RSDcmp3s/5N/sb8p3u2VV7O529Y0egWKCJ:SBRSomtsLgEVFO529mgWp
Threatray 69 similar samples on MalwareBazaar
TLSH T17035BF18E934D0D5FCD341F17B699211F4237E3BCE28696B94E8E750154AEED063F22A
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
437
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
2025-04-28_75b09a930602a19224bc3b1d50b4fbbc_agent-tesla_black-basta_cobalt-strike_darkgate_elex_luca-stealer
Verdict:
Malicious activity
Analysis date:
2025-04-28 23:01:54 UTC
Tags:
auto-sch loader amadey botnet stealer auto auto-reg lumma evasion autoit auto-startup telegram rdp crypto-regex arch-exec stealc vidar credentialflusher phishing putty rmm-tool
Link:
https://app.any.run/tasks/5d39b64c-fce3-4ea9-9085-59117de4689c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4867/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6810401dcc5fb3600cc43516
Tags:
kryptik virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
entropy fingerprint microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/6810678a833df795debd16fd/reports/14fb272b-e9a9-4f98-94db-1fcfac13d52c/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/6de943d7dac05c1415b6a760d9398ae5071b63e43293a634dc6c3014e0025697
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/adeb58d0-1804-480f-97b1-64602491248d
Result
Threat name:
AsyncRAT, LummaC Stealer, Njrat, Quasar,
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1676929
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops PE files to the startup folder
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected LummaC Stealer
Yara detected Njrat
Yara detected Quasar RAT
Yara detected Vidar stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1676929 Sample: 447nIWHSEK.exe Startdate: 29/04/2025 Architecture: WINDOWS Score: 100 115 itsrevolutionmagnus.xyz 2->115 117 62.3a.4t.com 2->117 119 10 other IPs or domains 2->119 135 Suricata IDS alerts for network traffic 2->135 137 Found malware configuration 2->137 139 Malicious sample detected (through community Yara rule) 2->139 143 20 other signatures 2->143 11 447nIWHSEK.exe 2->11         started        14 svchost.exe 2->14         started        16 msedge.exe 106 636 2->16         started        19 9 other processes 2->19 signatures3 141 Performs DNS queries to domains with low reputation 115->141 process4 dnsIp5 187 Contains functionality to inject code into remote processes 11->187 189 Writes to foreign memory regions 11->189 191 Allocates memory in foreign processes 11->191 193 Injects a PE file into a foreign processes 11->193 21 MSBuild.exe 43 11->21         started        26 MSBuild.exe 11->26         started        195 Changes security center settings (notifications, updates, antivirus, firewall) 14->195 99 239.255.255.250 unknown Reserved 16->99 28 msedge.exe 16->28         started        30 msedge.exe 16->30         started        32 msedge.exe 16->32         started        signatures6 process7 dnsIp8 121 62.3a.4t.com 5.75.209.111, 443, 49682, 49683 HETZNER-ASDE Germany 21->121 123 t.me 149.154.167.99, 443, 49681 TELEGRAMRU United Kingdom 21->123 129 2 other IPs or domains 21->129 79 C:\Users\user\AppData\...\X_Browser[1].exe, PE32+ 21->79 dropped 81 C:\Users\user\AppData\...\Q_Browser[1].exe, PE32 21->81 dropped 83 C:\Users\user\AppData\...83_Browser[1].exe, PE32 21->83 dropped 85 11 other malicious files 21->85 dropped 171 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->171 173 Found many strings related to Crypto-Wallets (likely being stolen) 21->173 175 Tries to harvest and steal ftp login credentials 21->175 183 3 other signatures 21->183 34 6fcb1vs0zu.exe 21->34         started        38 3o8y5pp8q9.exe 21->38         started        40 dt0r1db1ny.exe 21->40         started        42 6 other processes 21->42 177 Attempt to bypass Chrome Application-Bound Encryption 26->177 179 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->179 181 Bypasses PowerShell execution policy 26->181 185 2 other signatures 26->185 125 18.164.174.120, 443, 49780 MIT-GATEWAYSUS United States 28->125 127 c-msn-pme.trafficmanager.net 20.125.62.241, 443, 49743, 49784 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->127 131 35 other IPs or domains 28->131 file9 signatures10 process11 dnsIp12 69 C:\Users\user\AppData\...69vidiaDriver.exe, PE32 34->69 dropped 145 Antivirus detection for dropped file 34->145 147 Multi AV Scanner detection for dropped file 34->147 149 Detected unpacking (changes PE section rights) 34->149 151 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 34->151 45 NvidiaDriver.exe 34->45         started        71 C:\Users\user\...\YuBeG1GhfB9ZuHP6.exe, PE32 38->71 dropped 153 Query firmware table information (likely to detect VMs) 38->153 167 2 other signatures 38->167 49 YuBeG1GhfB9ZuHP6.exe 38->49         started        155 Writes to foreign memory regions 40->155 157 Allocates memory in foreign processes 40->157 159 Injects a PE file into a foreign processes 40->159 52 MSBuild.exe 40->52         started        133 192.168.2.7, 443, 49672, 49681 unknown unknown 42->133 73 C:\Users\user\AppData\...\Microsoft Edge.exe, PE32 42->73 dropped 75 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 42->75 dropped 77 C:\Users\user\AppData\Local\...\Dllhost.exe, PE32 42->77 dropped 161 Creates multiple autostart registry keys 42->161 163 Drops PE files to the startup folder 42->163 165 Monitors registry run keys for changes 42->165 169 3 other signatures 42->169 54 MSBuild.exe 42->54         started        56 Microsoft Edge.exe 42->56         started        58 chrome.exe 42->58         started        60 2 other processes 42->60 file13 signatures14 process15 dnsIp16 87 C:\...\e0083c6d60894652b6066dc5bd9a821e.exe, PE32+ 45->87 dropped 89 C:\Users\user\AppData\...\InternetDriver.exe, PE32 45->89 dropped 197 Tries to detect sandboxes and other dynamic analysis tools (window names) 45->197 199 Hides threads from debuggers 45->199 201 Tries to detect sandboxes / dynamic malware analysis system (registry check) 45->201 101 192.168.2.8 unknown unknown 49->101 91 C:\Users\user\...\vV9NToR4T8RKxyXg.exe, PE32 49->91 dropped 93 C:\Users\user\...\glkT8OGyTI1WZAUZ.exe, PE32 49->93 dropped 95 C:\Users\user\...\gGSZ0U2bezaKmJx0.exe, PE32+ 49->95 dropped 97 C:\Users\user\AppData\...\LiseJackes[1].exe, PE32+ 49->97 dropped 203 Multi AV Scanner detection for dropped file 49->203 205 Query firmware table information (likely to detect VMs) 49->205 207 Creates multiple autostart registry keys 49->207 209 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 49->209 103 zenithcorde.top 172.67.190.162, 443, 49827, 49828 CLOUDFLARENETUS United States 52->103 211 Tries to harvest and steal ftp login credentials 52->211 213 Tries to harvest and steal browser information (history, passwords, etc) 52->213 215 Tries to steal Crypto Currency Wallets 52->215 217 Tries to steal from password manager 52->217 219 Adds a directory exclusion to Windows Defender 54->219 62 powershell.exe 54->62         started        105 94.26.90.81 ASDETUKhttpwwwheficedcomGB Bulgaria 56->105 107 ipwho.is 108.181.47.111 ASN852CA Canada 56->107 221 Hides that the sample has been downloaded from the Internet (zone.identifier) 56->221 109 plus.l.google.com 142.250.217.142, 443, 49720 GOOGLEUS United States 58->109 111 ogads-pa.clients6.google.com 192.178.49.170, 443, 49719 GOOGLEUS United States 58->111 113 2 other IPs or domains 58->113 65 conhost.exe 60->65         started        file17 signatures18 process19 signatures20 223 Loading BitLocker PowerShell Module 62->223 67 conhost.exe 62->67         started        process21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6de943d7dac05c1415b6a760d9398ae5071b63e43293a634dc6c3014e0025697
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6de943d7dac05c1415b6a760d9398ae5071b63e43293a634dc6c3014e0025697/
Threat name:
Win64.Trojan.LummaC
Create hunting rule
Status:
Malicious
First seen:
2025-04-29 01:27:10 UTC
File Type:
PE+ (Exe)
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nxuuhv62ybobifnwu5qnsomk4udrwy7egkj2mng4nqybjyack2lq._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
59b9a59cf24c3495ff3c56d7d8e435deec09a28e750fe6f9d3138197a9568aa7
XWorm
6de943d7dac05c1415b6a760d9398ae5071b63e43293a634dc6c3014e0025697
XWorm
77a292536e782ff720b0397bb37ce1ad66a8f3b3be636438f25cd8d27ef8b1a5
XWorm
a186ca459a30329c533036d3f672ae60c3ed7241787916ee2798b37f600ddcd5
XWorm
be6e14517a4bac3e6bd3682d01e9139fcf51cd702770109a7d144f76c1a7ff6a
XWorm
dc411841c3a1714fba35a1535d8563869b6ec3fc1cb87a9f56d057657a546077
XWorm
error
XWorm
faedc0a8dc40405a0aa4afc61afdb1b113ef5bf62a47fdf987b5a54e272befcd
XWorm
+ 59 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:njrat family:quasar family:vidar family:xworm botnet:158fdd2a4f5abb978509580715e5353f botnet:office04 botnet:user credential_access defense_evasion discovery execution persistence rat spyware stealer themida trojan
Link:
https://tria.ge/reports/250429-gf5rpsxmv9/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Themida packer
Unsecured Credentials: Credentials In Files
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detect Vidar Stealer
Detect Xworm Payload
Lumma Stealer, LummaC
Lumma family
Njrat family
Quasar RAT
Quasar family
Quasar payload
Vidar
Vidar family
Xworm
Xworm family
njRAT/Bladabindi
Malware Config
C2 Extraction:
https://t.me/m00f3r
https://steamcommunity.com/profiles/76561199851454339
https://clarmodq.top/qoxo
https://zenithcorde.top/auid
https://techguidet.digital/apdo
https://btcgeared.live/lbak
https://buzzarddf.live/ktnt
https://techsyncq.run/riid
https://parakehjet.run/kewk
94.26.90.81:6663
94.26.90.81:4782
94.26.90.81:6666
Verdict:
Suspicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/6566aec3-e68c-4ade-99b9-475761bb2510
Unpacked files
SH256 hash:
6de943d7dac05c1415b6a760d9398ae5071b63e43293a634dc6c3014e0025697
MD5 hash:
0303d8146904a1488d15f5ea249934e6
SHA1 hash:
3123ec626f97ec55d19cdc697d68ff34901b03c1
Link:
https://www.unpac.me/results/341296db-a6e7-4a2a-9ca4-f6bda9440789/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6de943d7dac0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6de943d7dac05c1415b6a760d9398ae5071b63e43293a634dc6c3014e0025697

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe 6de943d7dac05c1415b6a760d9398ae5071b63e43293a634dc6c3014e0025697

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/4867/
  
URLhaus
https://urlhaus.abuse.ch/url/3527463/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW

Comments