MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a4e6cb96cfa53aa0638b29d38ddc1a31cc53b807e6cc3299f891272a8d00d03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a4e6cb96cfa53aa0638b29d38ddc1a31cc53b807e6cc3299f891272a8d00d03
SHA3-384 hash: a1c968689326d83f93083555ff6e37bd175d933c9fe4264beb1cd9735ca63566d7a11c1150f303a9f37cab0f3588c990
SHA1 hash: 8b79f94c36770a0fb9a472369f2490beaf4f2b71
MD5 hash: 52863d3c96f1fd0be6fdb1f5f510b888
humanhash: missouri-music-nevada-ack
File name:e-dekont.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:206'848 bytes
First seen:2026-02-05 10:21:23 UTC
Last seen:2026-02-05 11:31:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash df0774ee1f0224e08060a6563fcbd4b3 (1 x XWorm)
ssdeep 3072:6dxNcnUFeeNsDiEn8mozMixKrUOJrJxa+Ef+xJMpGYu5lybW0Zu+3a1cLk:/UFKuEIkrUeja+Emk5ufybW0NaaLk
Threatray 767 similar samples on MalwareBazaar
TLSH T1011412BD510EE9AFD552C2766E444328CE24F91791177ACE8293A03037D52E0CFB6E8E
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter threatcat_ch
Tags:exe xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
e-dekont.exe
Verdict:
Malicious activity
Analysis date:
2026-02-05 10:22:45 UTC
Tags:
xworm remote auto-startup
Link:
https://app.any.run/tasks/3086d18f-b504-48ad-be16-efaa394232dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51791/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.43638869.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69846f583361f35a4b0b327c
Tags:
autorun extens virus spawn
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug hacktool masm packed soft-404
Link:
https://www.filescan.io/uploads/69846f55930564ff3c8c7a19/reports/905a49b7-a7cd-4a42-929f-f678b7f5d67b/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/7a4e6cb96cfa53aa0638b29d38ddc1a31cc53b807e6cc3299f891272a8d00d03
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-02-05T07:19:00Z UTC
Last seen:
2026-02-07T01:36:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.Agent.smfllj BSS:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/7a4e6cb96cfa53aa0638b29d38ddc1a31cc53b807e6cc3299f891272a8d00d03/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b3cfb21d-54bc-4973-b0e0-2d848636a9c7
Result
Threat name:
DonutLoader, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1863868
Signature
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Windows Binaries Write Suspicious Extensions
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Yara detected DonutLoader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7a4e6cb96cfa53aa0638b29d38ddc1a31cc53b807e6cc3299f891272a8d00d03
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/52863d3c96f1fd0be6fdb1f5f510b888
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a4e6cb96cfa53aa0638b29d38ddc1a31cc53b807e6cc3299f891272a8d00d03/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/7a4e6cb96cfa53aa0638b29d38ddc1a31cc53b807e6cc3299f891272a8d00d03
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-02-05 10:22:16 UTC
File Type:
PE+ (Exe)
Extracted files:
6
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjhgzolm7jj2ubrywkotrxobumomko4apzwmgkm7rejhfkgqbubq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
donutloader
Create hunting rule
Similar samples:
70c4f474516adb9bba17759bf2023ad445fe8910fa83cdcc225b14a8ccb6fb69
XWorm
7a4e6cb96cfa53aa0638b29d38ddc1a31cc53b807e6cc3299f891272a8d00d03
XWorm
8eedf8119ec470703322859e187ae6feede1d9e43fd4be691a1312ecfbf35336
XWorm
9c9cf095c3ff1c23a4938f8f815055521383bc6ec5e27d4647f0f6037f500402
XWorm
ac7736de11e9b360d7ac3248242f04d1f7f31612ae5d4b74aef6bba8eea7099a
XWorm
ad925bc485fb6fa119d5479f42e54555e84c20ab77a6b7641cda4532047c2789
XWorm
d4a68d8a848dd0af45a07168ddb2cae1598d3dff26c7e1a82d55881af058c43b
XWorm
error
XWorm
f254174cd03da1a24f879e5d6f669e6b0109449e705f25b6d54611fbc249de84
XWorm
+ 757 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:xworm collection loader rat trojan
Link:
https://tria.ge/reports/260205-mebecsd14e/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Detect Xworm Payload
Detects DonutLoader
DonutLoader
Donutloader family
Xworm
Xworm family
Malware Config
C2 Extraction:
104.168.115.88:2828
Unpacked files
SH256 hash:
7a4e6cb96cfa53aa0638b29d38ddc1a31cc53b807e6cc3299f891272a8d00d03
MD5 hash:
52863d3c96f1fd0be6fdb1f5f510b888
SHA1 hash:
8b79f94c36770a0fb9a472369f2490beaf4f2b71
Link:
https://www.unpac.me/results/1cec9b5a-0dcd-4282-a259-3e12d6dc3e8c/
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a4e6cb96cfa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.63
Link:
https://yomi.yoroi.company/submissions/7a4e6cb96cfa53aa0638b29d38ddc1a31cc53b807e6cc3299f891272a8d00d03

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Executable exe 7a4e6cb96cfa53aa0638b29d38ddc1a31cc53b807e6cc3299f891272a8d00d03

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/51791/

Comments