MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71298dc679ea1a7f863c3c645f008e5ffcf892510bafc1c1fd201fcbf5f41952. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 20


Intelligence 20 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71298dc679ea1a7f863c3c645f008e5ffcf892510bafc1c1fd201fcbf5f41952
SHA3-384 hash: 0563750c5e00c6d3e2ef0e984dc3d537cfce44754baf7867d32562719c5fef99f3cd82a9bc6aa9397fe101b49c472d9b
SHA1 hash: b094d7b105d4e6ec9071d0ea371c45649094e652
MD5 hash: e02cb6e561544032a40aaba15543c004
humanhash: uncle-juliet-india-fifteen
File name:SMT_20260417_Price Request DX FLO-VN.pdf(94KB).exe
Download: download sample
Signature XWorm
Create hunting rule
File size:1'068'544 bytes
First seen:2026-04-17 07:52:00 UTC
Last seen:2026-05-08 13:21:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'003 x AgentTesla, 19'910 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 24576:OGLRDQZdMA2NAmzucFDkFHtBtCbKrMyfprOIbuGN7lK21:OG+MA2JzucF45xC2Msp6IbJ7821
Threatray 227 similar samples on MalwareBazaar
TLSH T18435026A76E84F90C9582EB9C1F3682407E2E58376B3F78A3B5116C61E527E0DF463C4
TrID 69.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win64 Executable (generic) (6522/11/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter lowmal3
Tags:exe xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
154
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
NETReactor
Details
NETReactor
decrypted strings
Link:
https://research.acce.ciphertechsolutions.com/results/ba214fb2-0264-426b-8da6-9e016e9a9ca3/
Malware family:
n/a
ID:
1
File name:
_71298dc679ea1a7f863c3c645f008e5ffcf892510bafc1c1fd201fcbf5f41952.exe
Verdict:
Suspicious activity
Analysis date:
2026-04-17 07:52:49 UTC
Tags:
netreactor auto-reg auto-startup
Link:
https://app.any.run/tasks/9dd20588-4ca2-45be-98e6-46aa90ccef9e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/61930/
Detection(s):
SecuriteInfo.com.W32.ABTrojan.DOKS-8849.22758.4467.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69e1e6b8f68adfe1003ab011
Tags:
autorun philis trojan hello
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Query of malicious DNS domain
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 crypt net_reactor obfuscated obfuscated packed packed unsafe vbnet
Link:
https://www.filescan.io/uploads/69e1e6b6d920e19044ffe3a6/reports/cd7f4c37-6be8-469c-a80f-80e377f5d059/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/71298dc679ea1a7f863c3c645f008e5ffcf892510bafc1c1fd201fcbf5f41952
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-16T22:03:00Z UTC
Last seen:
2026-04-19T06:02:00Z UTC
Hits:
~1000
Detections:
Trojan-Dropper.Win32.Injector.sb PDM:Trojan.Win32.Generic Trojan.WinLNK.Agent.fb Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan.MSIL.Agent.sb Backdoor.Win32.Androm.sb PDM:Worm.Win32.Generic VHO:Trojan.MSIL.Crypt.gen HEUR:Trojan.MSIL.Crypt.gen Backdoor.MSIL.XWorm.b
Link:
https://opentip.kaspersky.com/71298dc679ea1a7f863c3c645f008e5ffcf892510bafc1c1fd201fcbf5f41952/results?tab=lookup
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3cfe5e31-c92f-40da-b50e-6045799efe7d
Result
Threat name:
DarkTortilla, KeyLogger, Phantom stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1899905
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected DarkTortilla Crypter
Yara detected Keylogger Generic
Yara detected MSIL Injector
Yara detected Phantom stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1899905 Sample: SMT_20260417_Price Request ... Startdate: 17/04/2026 Architecture: WINDOWS Score: 100 46 code1.ydns.eu 2->46 48 wqo9.firewall-gateway.de 2->48 50 2 other IPs or domains 2->50 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Antivirus detection for URL or domain 2->58 60 19 other signatures 2->60 8 SMT_20260417_Price Request DX FLO-VN.pdf(94KB).exe 3 2->8         started        12 VersionUpdate.exe 3 2->12         started        14 VersionUpdate.exe 2 2->14         started        signatures3 process4 file5 38 SMT_20260417_Price...N.pdf(94KB).exe.log, ASCII 8->38 dropped 62 Injects a PE file into a foreign processes 8->62 16 SMT_20260417_Price Request DX FLO-VN.pdf(94KB).exe 1 8 8->16         started        21 SMT_20260417_Price Request DX FLO-VN.pdf(94KB).exe 8->21         started        64 Antivirus detection for dropped file 12->64 66 Multi AV Scanner detection for dropped file 12->66 23 VersionUpdate.exe 12->23         started        25 VersionUpdate.exe 12->25         started        27 VersionUpdate.exe 12->27         started        29 VersionUpdate.exe 14->29         started        signatures6 process7 dnsIp8 40 code1.ydns.eu 128.0.1.9, 59013 M247GB Romania 16->40 42 wqo9.firewall-gateway.de 91.92.241.145, 59013 THEZONEBG Bulgaria 16->42 44 rency.ydns.eu 5.180.82.239, 49703, 59013 ASDETUKhttpwwwheficedcomGB Latvia 16->44 34 C:\Users\user\AppData\...\VersionUpdate.exe, PE32 16->34 dropped 36 C:\Users\user\AppData\Local\Temp\dnknah.exe, PE32 16->36 dropped 52 Creates autostart registry keys with suspicious values (likely registry only malware) 16->52 31 dnknah.exe 16->31         started        file9 signatures10 process11 signatures12 68 Found many strings related to Crypto-Wallets (likely being stolen) 31->68 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->70
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/71298dc679ea1a7f863c3c645f008e5ffcf892510bafc1c1fd201fcbf5f41952
Verdict:
Malware
YARA:
12 match(es)
Tags:
.Net .Net Obfuscator .Net Reactor Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.90 Win 32 Exe x86
Link:
https://app.malva.re/file/e02cb6e561544032a40aaba15543c004
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/71298dc679ea1a7f863c3c645f008e5ffcf892510bafc1c1fd201fcbf5f41952/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/71298dc679ea1a7f863c3c645f008e5ffcf892510bafc1c1fd201fcbf5f41952
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-04-17 06:04:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oeuy3rtz5inh7br4hrsf6aeol76presrbox4dqp5eap4x5pudfja._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
20985888d059fdd496b3f85d36c8e4f281b084c1e247d89b1de614b60168d1d7
XWorm
6ef077339d502b2c4c5fbf6c06a3a512f55f95f42cbbcfcc7620ae47efae7f93
XWorm
8bc544386ccb4eb630c4b8df83be99b28e8c0f1b45a17126178bcfb25ea668a6
XWorm
e6bb646f56c9c4807ee6aa5d50101b0bc1240f748e6c9c12a3f673f2f828d10f
XWorm
e6faf4b04b4af47427346ee41caa3aeb95b7e864458d570ba5111d73cbc70f1c
XWorm
error
XWorm
+ 217 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery persistence rat trojan
Link:
https://tria.ge/reports/260417-jqkwdsht7l/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
.NET Reactor proctector
Checks computer location settings
Drops startup file
Executes dropped EXE
Detect Xworm Payload
Family: Xworm
Unpacked files
SH256 hash:
7d3aeb42939734fb6031c9a5df939e92a5430107e48adb9e9ba7449996d4b6ed
MD5 hash:
0d016d1826a8b3318a90bda23e8b5cb7
SHA1 hash:
0f7ea70b131217ec310a6df95b2771127c9ec41f
Link:
https://www.unpac.me/results/151038d4-976d-4784-bd58-b5e24bb43946/
SH256 hash:
991e45cff5642f00d0fa74acc3bbd1efd4524f515c5f0502cda3175e80feafcd
MD5 hash:
cb1325b099233398720bac897a8a7cc9
SHA1 hash:
8bf682b059478018d33c42d30f9c41a429509238
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/151038d4-976d-4784-bd58-b5e24bb43946/
SH256 hash:
8995d7eca4de6c7c0c1a761c877e4e7c80de63bd361c8aaee1bbd66fd4c9dfc3
MD5 hash:
a5543a26919050e9c0313e29b9fc43c2
SHA1 hash:
aa89566831accff7db683d0e1abdfd9265433a2f
Link:
https://www.unpac.me/results/151038d4-976d-4784-bd58-b5e24bb43946/
SH256 hash:
f801a59b8aa8bf307b0437a4e06281f1bbbba003a2718aabbd2c346040363c83
MD5 hash:
785f121f6a1242fb6cc8cdb2cebba563
SHA1 hash:
dc7ff82f2b7be8522b75161da2c0ce2bca00519e
Link:
https://www.unpac.me/results/151038d4-976d-4784-bd58-b5e24bb43946/
SH256 hash:
71298dc679ea1a7f863c3c645f008e5ffcf892510bafc1c1fd201fcbf5f41952
MD5 hash:
e02cb6e561544032a40aaba15543c004
SHA1 hash:
b094d7b105d4e6ec9071d0ea371c45649094e652
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/151038d4-976d-4784-bd58-b5e24bb43946/
SH256 hash:
71298dc679ea1a7f863c3c645f008e5ffcf892510bafc1c1fd201fcbf5f41952
MD5 hash:
e02cb6e561544032a40aaba15543c004
SHA1 hash:
b094d7b105d4e6ec9071d0ea371c45649094e652
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/151038d4-976d-4784-bd58-b5e24bb43946/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/71298dc679ea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/71298dc679ea1a7f863c3c645f008e5ffcf892510bafc1c1fd201fcbf5f41952

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Executable exe 71298dc679ea1a7f863c3c645f008e5ffcf892510bafc1c1fd201fcbf5f41952

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/61930/

Comments