MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 746fbf9ebfcbcdb031ffe8e1489f640665517c93ad40fe4fba83dd39b1b8a301. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 746fbf9ebfcbcdb031ffe8e1489f640665517c93ad40fe4fba83dd39b1b8a301
SHA3-384 hash: 944399b5ce2d2756bdd0682f11616c456e6b5d0e95b09324e63b2587e8ab4c0aed230e3559dc08189a673c310a670b9c
SHA1 hash: 129ba2e685384c4c1843133fbc3232c279f84475
MD5 hash: da60828878bd857a3a998d6529b9a1b9
humanhash: diet-king-may-lamp
File name:746fbf9ebfcbcdb031ffe8e1489f640665517c93ad40f.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:1'048'532 bytes
First seen:2025-09-01 22:55:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32f3282581436269b3a75b6675fe3e08 (197 x LummaStealer, 123 x Rhadamanthys, 8 x CoinMiner)
ssdeep 12288:JqtYrxOhtFS7p7mYXamFTGUMipaGv4phK4F8KO2aUJSqaT+AVlx6kY1LGdzG5NY:karxWomMhwbiGm9KsAMT+AVmkoKdy5a
Threatray 752 similar samples on MalwareBazaar
TLSH T10825F657BB1506A8E2B372FB714941A1B21E831A53CF1C4356F8274A5B3316CC2F6A7E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
196.251.113.4:8989

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
196.251.113.4:8989 https://threatfox.abuse.ch/ioc/1579949/

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
46791467c13cf4718f680a8a14975949.exe
Verdict:
Malicious activity
Analysis date:
2025-09-01 19:36:20 UTC
Tags:
auto redline stealer amadey botnet arch-exec stealc lumma themida loader purecrypter evasion python discord auto-reg rdp autoit auto-sch banker grandoreiro auto-startup ms-smartcard screenconnect rmm-tool remote telegram pastebin exfiltration
Link:
https://app.any.run/tasks/d9e29129-08fb-4613-9702-3a0b80e078e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/24619/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b62475eb163e0ec1841a13
Tags:
autoit emotet nsis
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Connection attempt
Possible injection to a system process
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug blackhole installer microsoft_visual_cc nsis overlay redcap
Link:
https://www.filescan.io/uploads/68b624721c81c34281dada90/reports/e74f4113-a99b-4983-8b20-bc74f7bc8750/overview
Verdict:
Malicious
Labled as:
Infostealer/LummaC2
Link:
https://www.hybrid-analysis.com/sample/746fbf9ebfcbcdb031ffe8e1489f640665517c93ad40fe4fba83dd39b1b8a301
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-01T16:45:00Z UTC
Last seen:
2025-09-01T16:45:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/746fbf9ebfcbcdb031ffe8e1489f640665517c93ad40fe4fba83dd39b1b8a301/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bcb23cd5-741e-4f23-836c-cbb57b57fbf6
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1769137
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1769137 Sample: 746fbf9ebfcbcdb031ffe8e1489... Startdate: 02/09/2025 Architecture: WINDOWS Score: 100 75 dodle54.duckdns.org 2->75 77 dayzcheatcheck.online 2->77 79 KgVRuJXwDD.KgVRuJXwDD 2->79 89 Suricata IDS alerts for network traffic 2->89 91 Found malware configuration 2->91 93 Malicious sample detected (through community Yara rule) 2->93 97 12 other signatures 2->97 12 746fbf9ebfcbcdb031ffe8e1489f640665517c93ad40f.exe 21 2->12         started        15 explorer.exe 1 2->15         started        17 explorer.exe 1 2->17         started        19 QuantumMind.bat 2->19         started        signatures3 95 Uses dynamic DNS services 75->95 process4 file5 65 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 12->65 dropped 21 cmd.exe 1 12->21         started        24 QuantumMind.bat 15->24         started        process6 signatures7 99 Detected CypherIt Packer 21->99 101 Suspicious powershell command line found 21->101 103 Drops PE files with a suspicious file extension 21->103 105 Uses schtasks.exe or at.exe to add and modify task schedules 21->105 26 cmd.exe 4 21->26         started        29 conhost.exe 21->29         started        process8 file9 63 C:\Users\user\AppData\Local\...\Forecasts.pif, PE32 26->63 dropped 31 Forecasts.pif 6 26->31         started        35 extrac32.exe 20 26->35         started        37 tasklist.exe 1 26->37         started        39 2 other processes 26->39 process10 file11 69 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 31->69 dropped 71 C:\Users\user\AppData\...\QuantumMind.lnk, MS 31->71 dropped 73 C:\Users\user\AppData\...\QuantumMind.bat, PE32 31->73 dropped 83 Writes to foreign memory regions 31->83 85 Injects a PE file into a foreign processes 31->85 41 RegAsm.exe 2 31->41         started        45 cmd.exe 2 31->45         started        48 cmd.exe 1 31->48         started        signatures12 process13 dnsIp14 81 dodle54.duckdns.org 196.251.113.4, 49721, 8989 xneeloZA Seychelles 41->81 107 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->107 50 cmd.exe 41->50         started        67 C:\Users\user\AppData\...\QuantumMind.url, MS 45->67 dropped 53 conhost.exe 45->53         started        55 conhost.exe 48->55         started        57 schtasks.exe 1 48->57         started        file15 signatures16 process17 signatures18 87 Suspicious powershell command line found 50->87 59 conhost.exe 50->59         started        61 powershell.exe 50->61         started        process19
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/746fbf9ebfcbcdb031ffe8e1489f640665517c93ad40fe4fba83dd39b1b8a301
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE Memory-Mapped (Dump)
Link:
https://app.malva.re/file/da60828878bd857a3a998d6529b9a1b9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/746fbf9ebfcbcdb031ffe8e1489f640665517c93ad40fe4fba83dd39b1b8a301/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-09-01 19:44:31 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=orx37hv7zpg3amp75dqurh3eazsvc7etvvap4t52qpottmnyumaq._file
Verdict:
malicious
Label(s):
unc_loader_058
Create hunting rule
Similar samples:
2e7612dfa9f1a487dd92cc2ff6f115d7f63aed124841b75f6a245f22b7b8ab07
XWorm
30620c423c928e5e37f9386f7cb5e6ab87eaee7638975f4a8d8f90c56cb785f1
XWorm
4c3df5648a4b0412b690bad3da5b6694db67b89dd44b8d87cac52631a5712865
XWorm
7278b17862045e23ff94e4aaf7ecfd01f6a77cef9834ea7e9c06bcf3ed4ed397
XWorm
7637a8df7c51b548d859aca0dc00cc0cc6be47d7bb6622dab9a91432d0bfbe27
XWorm
96605014e2a3ff0db56a2089a6b27fa3f09724453adb50dee07216c79d6454bd
XWorm
98573ca0d8fb45c4b131bd88799a2fcb6613bd44033fe540dd046e99821f9aeb
XWorm
a38bb7021ecb29f9a95f60ed3d889490bdc6f710c77673607a3a82c3beba652a
XWorm
deea19a546b50ad4f263fbe051c32b71057d56c5c22f4aa4d7fda3b54c3b8d46
XWorm
e94e654ba23abe11cbd56407cd149d388428f0951097c8c9c9b796cb559be321
XWorm
error
XWorm
+ 742 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat trojan
Link:
https://tria.ge/reports/250901-2whbkatkw7/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Enumerates processes with tasklist
Drops startup file
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm
Xworm family
Malware Config
C2 Extraction:
helldog24.duckdns.org:8989
dodle54.duckdns.org:8989
startnw54.duckdns.org:8989
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d7066d58-f2e7-40c9-96b4-1fdc3eecd33d
Unpacked files
SH256 hash:
746fbf9ebfcbcdb031ffe8e1489f640665517c93ad40fe4fba83dd39b1b8a301
MD5 hash:
da60828878bd857a3a998d6529b9a1b9
SHA1 hash:
129ba2e685384c4c1843133fbc3232c279f84475
Link:
https://www.unpac.me/results/6eaa87ca-49cf-4e74-831b-4138a1172cc5/
SH256 hash:
bb4fb924885b8d6719cb88e7f231abcbb7c2a1c69be92a12ce7bb56bed9129e3
MD5 hash:
094ae615109634f48bede4a612e36fc8
SHA1 hash:
a8b8cbf4d8a7f368b3ae53090bab40a2793657eb
Link:
https://www.unpac.me/results/6eaa87ca-49cf-4e74-831b-4138a1172cc5/
SH256 hash:
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
MD5 hash:
08e9796ca20c5fc5076e3ac05fb5709a
SHA1 hash:
07971d52dcbaa1054060073571ced046347177f7
Link:
https://www.unpac.me/results/6eaa87ca-49cf-4e74-831b-4138a1172cc5/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/746fbf9ebfcb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/746fbf9ebfcbcdb031ffe8e1489f640665517c93ad40fe4fba83dd39b1b8a301

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_XWorm_b7d6eaa8
Create hunting rule
Author:Elastic Security
Rule name:win_xworm_bytestring
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects bytestring present in unobfuscated xworm
Rule name:win_xworm_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:xworm
Create hunting rule
Author:jeFF0Falltrades
Rule name:xworm_kingrat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/24619/

Comments