MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7776706d26fb2dfd7cb96910810bb4c3a02b343a228035a0ca4db3ccf8e4d26a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



XWorm


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments

SHA256 hash: 7776706d26fb2dfd7cb96910810bb4c3a02b343a228035a0ca4db3ccf8e4d26a
SHA3-384 hash: 36458da7ebbeafe8e8b82eac8a7fec3b37c6fb74363147b7559baa83a1afd72ffcc87051e42f79cbea90016a81890a96
SHA1 hash: f04c0953e5169beb168fd9ebcba96ce5d2d38a92
MD5 hash: 6a26cc31650fd8ca3d62532cd1106899
humanhash: bakerloo-failed-potato-helium
File name:Contract.exe
Download: download sample
Signature XWorm
File size:728'576 bytes
First seen:2026-07-02 14:55:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'081 x AgentTesla, 20'056 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 12288:4XGLc4LNMs/iArYKidL6wvNEpEy8qNDBsOhSCvHFBjDv8jsQ8EO9KLMKq:4WQ4LNMtacpVkNDB3/FB38qd
Threatray 357 similar samples on MalwareBazaar
TLSH T13EF412656748CAA5C8FA47781972F27003B1BC5DAC16C22F4EE87CCBB422B815E647D7
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe xworm

Intelligence


File Origin
# of uploads :
1
# of downloads :
169
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
подписанный договор.msg
Verdict:
Malicious activity
Analysis date:
2026-07-01 12:30:35 UTC
Tags:
attachments attc-unc susp-attachments arch-exec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Tags:
autorun shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Creating a process with a hidden window
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-07-01T06:42:00Z UTC
Last seen:
2026-07-04T09:28:00Z UTC
Hits:
~1000
Detections:
Backdoor.Agent.TCP.C&C Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Backdoor.MSIL.XWorm.b Trojan.MSIL.Agent.sb PDM:Trojan.Win32.Generic Trojan.MSIL.Crypt.sb HEUR:Trojan-PSW.MSIL.Agensla.vho Backdoor.MSIL.XWorm.c Trojan-Dropper.Win32.Injector.sb PDM:Trojan.Win32.Tasker.cust HEUR:Backdoor.Win32.Androm.gen Backdoor.Win32.Androm.sb HEUR:Backdoor.Win32.Agent.gen
Result
Threat name:
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential Privilege Escalation using Task Scheduler highest RunLevel
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Yara detected XWorm
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1936817 Sample: Contract.exe Startdate: 02/07/2026 Architecture: WINDOWS Score: 100 70 www.google.com 2->70 72 mobile-gtalk.l.google.com 2->72 74 2 other IPs or domains 2->74 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 11 other signatures 2->84 9 Contract.exe 3 2->9         started        13 bin.exe 2->13         started        15 bin.exe 2->15         started        17 7 other processes 2->17 signatures3 process4 file5 64 C:\Users\user\AppData\...\Contract.exe.log, ASCII 9->64 dropped 94 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->94 96 Bypasses PowerShell execution policy 9->96 98 Uses schtasks.exe or at.exe to add and modify task schedules 9->98 106 3 other signatures 9->106 19 Contract.exe 2 6 9->19         started        100 Antivirus detection for dropped file 13->100 102 Multi AV Scanner detection for dropped file 13->102 104 Injects a PE file into a foreign processes 13->104 24 bin.exe 13->24         started        26 bin.exe 15->26         started        28 bin.exe 15->28         started        66 C:\Windows\Temp\zcxqfn1y.inf, Windows 17->66 dropped 30 cmstp.exe 17->30         started        32 conhost.exe 17->32         started        34 bin.exe 17->34         started        36 2 other processes 17->36 signatures6 process7 dnsIp8 76 109.248.150.234, 443, 49720 DATACLUB-NLLV Netherlands 19->76 62 C:\Users\user\AppData\Roaming\bin.exe, PE32 19->62 dropped 86 Tries to harvest and steal browser information (history, passwords, etc) 19->86 88 Adds a directory exclusion to Windows Defender 19->88 38 powershell.exe 23 19->38         started        41 powershell.exe 23 19->41         started        43 powershell.exe 23 19->43         started        45 4 other processes 19->45 file9 signatures10 process11 file12 90 Loading BitLocker PowerShell Module 38->90 48 conhost.exe 38->48         started        50 conhost.exe 41->50         started        52 conhost.exe 43->52         started        68 C:\Users\user\AppData\Local\...\Contract.exe, PE32 45->68 dropped 92 Antivirus detection for dropped file 45->92 54 conhost.exe 45->54         started        56 conhost.exe 45->56         started        58 conhost.exe 45->58         started        60 cvtres.exe 45->60         started        signatures13 process14
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.49 Win 32 Exe x86
Threat name:
Win32.Backdoor.Remcos
Status:
Malicious
First seen:
2026-07-01 09:56:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:xworm collection discovery execution persistence rat spyware stealer trojan
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Family: Xworm
Malware Config
C2 Extraction:
109.248.150.234:443
Unpacked files
SH256 hash:
7776706d26fb2dfd7cb96910810bb4c3a02b343a228035a0ca4db3ccf8e4d26a
MD5 hash:
6a26cc31650fd8ca3d62532cd1106899
SHA1 hash:
f04c0953e5169beb168fd9ebcba96ce5d2d38a92
SH256 hash:
59dad66b983788b5010a43080a28ce7a26a33b329fe0205c49a599b66d61ee8f
MD5 hash:
c5386620c1bec9664de1a438ad8f1e32
SHA1 hash:
2bdaabec23ee27e5c6f1c43df38c3ebdd7c7b1b6
SH256 hash:
2f94735d6a878f5313a0f810340ad67f90c8c628809aad4b4ded8273f85545bb
MD5 hash:
e73a5813104399bc943a726ccb773b42
SHA1 hash:
473f67d281db9a9b9eef61c78f03868c2e6c5aa8
SH256 hash:
f9183d461a9ef71e1a0a97ddef54f5a785c3d4fa1ac6cb979a82206a52037928
MD5 hash:
ef3e974cb8bc7d3ab1ad98f55b7ba7c3
SHA1 hash:
7466eb7f8f9b5b57bb28e1d0493c390aba833da9
Detections:
win_xworm_a0 win_xworm_w0 XWorm
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Executable exe 7776706d26fb2dfd7cb96910810bb4c3a02b343a228035a0ca4db3ccf8e4d26a

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments