MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 715f32d3ba36774ca6d9428f60872e309e88915575e7a10bda2e85eea28f0a9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 715f32d3ba36774ca6d9428f60872e309e88915575e7a10bda2e85eea28f0a9a
SHA3-384 hash: 4f508c80bd32344f0aecccb22bc1927dd393f1b38c4c5ec8973f8c9f78aa673fd53755c62ebb628247bdce55d4648f3d
SHA1 hash: 01aef15fc2992ba4769f60c8326057286ec637d7
MD5 hash: 607abbe37ff13a59b3ffa987d3a273dc
humanhash: leopard-football-vegan-carpet
File name:607abbe37ff13a59b3ffa987d3a273dc.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:968'192 bytes
First seen:2025-06-24 05:37:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3132b97acae9eb7f3053e4d14c497a51 (12 x LummaStealer, 3 x Stealc, 1 x StormKitty)
ssdeep 24576:aMcm3JE3VPxEw/5D2F7LD6RMsatx448Icsatx448I:98VPiwhDRMsatx44Vcsatx44V
TLSH T1EF25DF29E261A3E9FD2A01B544926241B462B937C7382FEF93D4D3335E037C55E3A729
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
407
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
586b3e1c70fa62b2b32bbb43a50280a3fe3d8fcc082866efc72ac52c8bd86535.exe
Verdict:
Malicious activity
Analysis date:
2025-06-23 21:33:02 UTC
Tags:
loader amadey botnet stealer themida rdp stealc vidar telegram deerstealer susp-powershell auto lumma evasion autoit lclipper clipper generic ims-api ip-check purehvnc netreactor
Link:
https://app.any.run/tasks/04b872a7-4e7f-4c26-9e1b-439c6c7e090a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10779/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.4065.15554.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685a3a8fb06783b9ebd6c978
Tags:
virus zusy
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc packed packed packer_detected similar-threat
Link:
https://www.filescan.io/uploads/685a3a15cf2af15711163067/reports/b4d2747a-690f-493d-acc4-b570ee69e321/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/715f32d3ba36774ca6d9428f60872e309e88915575e7a10bda2e85eea28f0a9a
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c897580d-4fdc-4193-8c94-1694b1069827
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1721542
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Compiles code for process injection (via .Net compiler)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1721542 Sample: y7c8oJC82M.exe Startdate: 24/06/2025 Architecture: WINDOWS Score: 100 88 t.me 2->88 90 f3.xo.mastermaths.com.sg 2->90 92 2 other IPs or domains 2->92 106 Suricata IDS alerts for network traffic 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 Multi AV Scanner detection for submitted file 2->110 112 7 other signatures 2->112 10 y7c8oJC82M.exe 1 2->10         started        signatures3 process4 signatures5 124 Contains functionality to inject code into remote processes 10->124 126 Writes to foreign memory regions 10->126 128 Allocates memory in foreign processes 10->128 130 Injects a PE file into a foreign processes 10->130 13 MSBuild.exe 33 10->13         started        17 MSBuild.exe 10->17         started        19 conhost.exe 10->19         started        21 MSBuild.exe 10->21         started        process6 dnsIp7 100 t.me 149.154.167.99, 443, 49690 TELEGRAMRU United Kingdom 13->100 102 f3.xo.mastermaths.com.sg 195.201.254.239, 443, 49691, 49692 HETZNER-ASDE Germany 13->102 132 Encrypted powershell cmdline option found 13->132 134 Tries to harvest and steal browser information (history, passwords, etc) 13->134 23 powershell.exe 22 13->23         started        27 powershell.exe 13->27         started        29 chrome.exe 13->29         started        31 27 other processes 13->31 signatures8 process9 dnsIp10 84 C:\Users\user\AppData\...\4rugazbw.cmdline, Unicode 23->84 dropped 114 Writes to foreign memory regions 23->114 116 Compiles code for process injection (via .Net compiler) 23->116 118 Creates a thread in another existing process (thread injection) 23->118 34 csc.exe 3 23->34         started        37 conhost.exe 23->37         started        39 csc.exe 27->39         started        41 conhost.exe 27->41         started        120 Encrypted powershell cmdline option found 29->120 122 Suspicious execution chain found 29->122 104 192.168.2.6, 138, 443, 49689 unknown unknown 31->104 86 C:\Users\user\AppData\Local\...\3erwupfv.0.cs, Unicode 31->86 dropped 43 chrome.exe 31->43         started        46 csc.exe 31->46         started        48 csc.exe 31->48         started        50 24 other processes 31->50 file11 signatures12 process13 dnsIp14 68 C:\Users\user\AppData\Local\...\4rugazbw.dll, PE32 34->68 dropped 52 cvtres.exe 1 34->52         started        70 C:\Users\user\AppData\Local\...\3oigafq0.dll, PE32 39->70 dropped 54 cvtres.exe 39->54         started        94 apis.google.com 43->94 96 ogads-pa.clients6.google.com 142.250.80.42, 443, 49709, 49711 GOOGLEUS United States 43->96 98 3 other IPs or domains 43->98 72 C:\Users\user\AppData\Local\...\iipqt2y0.dll, PE32 46->72 dropped 56 cvtres.exe 46->56         started        74 C:\Users\user\AppData\Local\...\zglyhvcu.dll, PE32 48->74 dropped 58 cvtres.exe 48->58         started        76 C:\Users\user\AppData\Local\...\z2ehlbkb.dll, PE32 50->76 dropped 78 C:\Users\user\AppData\Local\...\uzxizsd4.dll, PE32 50->78 dropped 80 C:\Users\user\AppData\Local\...\tqx5txgg.dll, PE32 50->80 dropped 82 7 other files (none is malicious) 50->82 dropped 60 cvtres.exe 50->60         started        62 cvtres.exe 50->62         started        64 cvtres.exe 50->64         started        66 7 other processes 50->66 file15 process16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/715f32d3ba36774ca6d9428f60872e309e88915575e7a10bda2e85eea28f0a9a
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/607abbe37ff13a59b3ffa987d3a273dc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/715f32d3ba36774ca6d9428f60872e309e88915575e7a10bda2e85eea28f0a9a/
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-06-23 08:40:30 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ofptfu52gz3uzjwzikhwbbzogcpirekvoxt2cc62f2c65iupbkna._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:njrat family:quasar family:vidar family:xworm botnet:f75200b07dd43d1c5af8a9dbd1186356 botnet:google chrome botnet:hacked credential_access cryptone defense_evasion discovery packer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250624-gckx5ax1g1/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Drops startup file
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Uses browser remote debugging
CryptOne packer
Detect Vidar Stealer
Detect Xworm Payload
Njrat family
Quasar RAT
Quasar family
Quasar payload
Vidar
Vidar family
Xworm
Xworm family
njRAT/Bladabindi
Malware Config
C2 Extraction:
https://t.me/l07tp
https://steamcommunity.com/profiles/76561199869630181
66.63.187.164:8594
66.63.187.164:8596
66.63.187.164:8595
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/589bd4c8-09b3-43e4-af5e-57d01da49661
Unpacked files
SH256 hash:
715f32d3ba36774ca6d9428f60872e309e88915575e7a10bda2e85eea28f0a9a
MD5 hash:
607abbe37ff13a59b3ffa987d3a273dc
SHA1 hash:
01aef15fc2992ba4769f60c8326057286ec637d7
Link:
https://www.unpac.me/results/f5c876ef-2d58-4534-b8e5-4c8509f044be/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/715f32d3ba36774ca6d9428f60872e309e88915575e7a10bda2e85eea28f0a9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe 715f32d3ba36774ca6d9428f60872e309e88915575e7a10bda2e85eea28f0a9a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3562395/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/10779/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::CreateMenu
USER32.dll::CreateWindowExW

Comments