MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7dae70f040b7ff11b7f3bd92f78e409d88a279a593990beafe8208a2df86d5c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7dae70f040b7ff11b7f3bd92f78e409d88a279a593990beafe8208a2df86d5c7
SHA3-384 hash: d461d031966fa6d86f37c5459b2955675e659dbf7c6a76235134a2b5a53d534935cdc76e8426c19b43da3d985e572c86
SHA1 hash: 67df65c0784fabe8a165904b4ed3bddc77d3af12
MD5 hash: 3e148182552295d2725bb68de5d5a1d0
humanhash: florida-south-butter-nitrogen
File name:Setup.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:3'085'824 bytes
First seen:2025-12-13 01:00:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:F9ob10vG7y5RtMF8cr1FuplaXCG/qjD/B+Jw24lOkYPRyPS/w27iz:7oJGGWRtbcQqEd2kYkqx
Threatray 121 similar samples on MalwareBazaar
TLSH T1D5E5CF091B342524CA455B75A631D5B643022F49EC37A2AAA9CD3F4FFC31913DCA9CBB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
45.133.180.154:6677

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.133.180.154:6677 https://threatfox.abuse.ch/ioc/1677597/

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
AgentMask EvilCoder XWorm
Details
AgentMask
a mutex, installation parameters, interval, and an AES-ECB decrypted component
EvilCoder
a mutex and AES-ECB decrypted component(s)
XWorm
a version, a filepath, a mutex, a c2 socket address or a dead-drop resolver URL, and possibly cryptocurrency wallets and a Telegram URL
Link:
https://research.acce.ciphertechsolutions.com/results/00dc3ff2-0557-454a-9803-770ee516e501/
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2025-12-13 00:46:29 UTC
Tags:
delphi inno installer
Link:
https://app.any.run/tasks/b251546c-e542-485f-9619-3a195b7890a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/44492/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693cb765bde6a3e59710e8cb
Tags:
dropper shell micro
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
asyncrat packed unsafe vbnet xworm
Link:
https://www.filescan.io/uploads/693cbab1cf690d27f3de55b9/reports/aff527a2-08d3-4cec-9f76-357d8835caad/overview
Verdict:
Malicious
Labled as:
MSIL.Cassiopeia.Generic
Link:
https://www.hybrid-analysis.com/sample/7dae70f040b7ff11b7f3bd92f78e409d88a279a593990beafe8208a2df86d5c7
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-12T21:50:00Z UTC
Last seen:
2025-12-14T16:16:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.Generic HEUR:Trojan.MSIL.APosT.gen HEUR:Exploit.MSIL.BypassUAC.gen Trojan.Win32.Agent.sb Trojan.MSIL.Crypt.sb Backdoor.MSIL.Agent.sb Trojan-Dropper.Win32.Agent.sb HEUR:Trojan.MSIL.Cryptos.gen PDM:Trojan.Win32.Generic HEUR:Backdoor.MSIL.XWorm.gen Backdoor.MSIL.XWorm.a PDM:Worm.Win32.Generic HEUR:Backdoor.MSIL.XClient.b Backdoor.MSIL.XWorm.b Trojan-PSW.Win32.Stealer.sb
Link:
https://opentip.kaspersky.com/7dae70f040b7ff11b7f3bd92f78e409d88a279a593990beafe8208a2df86d5c7/results?tab=lookup
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c54ddb0c-f484-4f72-a748-616b42fb8476
Result
Threat name:
PureLog Stealer, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1831944
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Uses dynamic DNS services
Yara detected PureLog Stealer
Yara detected UAC Bypass using CMSTP
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1831944 Sample: Setup.exe Startdate: 13/12/2025 Architecture: WINDOWS Score: 100 65 network112.duckdns.org 2->65 67 insellerate.net 2->67 69 bg.microsoft.map.fastly.net 2->69 75 Suricata IDS alerts for network traffic 2->75 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 83 12 other signatures 2->83 9 Setup.exe 5 2->9         started        12 MicrosoftAudio.exe 2->12         started        15 MicrosoftAudio.exe 2->15         started        18 2 other processes 2->18 signatures3 81 Uses dynamic DNS services 65->81 process4 dnsIp5 57 C:\Users\user\AppData\Roaming\Setup.exe, PE32 9->57 dropped 59 C:\Users\user\...\MicrosoftDrivers.exe, PE32 9->59 dropped 61 C:\Users\user\AppData\...\MicrosoftAudio.exe, PE32 9->61 dropped 63 C:\Users\user\AppData\Local\...\Setup.exe.log, CSV 9->63 dropped 20 MicrosoftDrivers.exe 14 4 9->20         started        24 MicrosoftAudio.exe 14 4 9->24         started        27 Setup.exe 2 9->27         started        93 Antivirus detection for dropped file 12->93 95 Multi AV Scanner detection for dropped file 12->95 97 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 12->97 107 3 other signatures 12->107 73 network112.duckdns.org 45.133.180.154, 49728, 49730, 49731 M247GB Romania 15->73 99 Found many strings related to Crypto-Wallets (likely being stolen) 15->99 101 Tries to harvest and steal Bitcoin Wallet information 15->101 103 Installs a global keyboard hook 15->103 105 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->105 file6 signatures7 process8 dnsIp9 49 C:\Users\user\...\MicrosoftDrivers.exe, PE32 20->49 dropped 85 Antivirus detection for dropped file 20->85 87 Multi AV Scanner detection for dropped file 20->87 89 Bypasses PowerShell execution policy 20->89 29 powershell.exe 23 20->29         started        32 powershell.exe 20->32         started        71 insellerate.net 104.40.65.56, 443, 49719, 49720 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->71 51 C:\Users\user\AppData\...\MicrosoftAudio.exe, PE32 24->51 dropped 91 Adds a directory exclusion to Windows Defender 24->91 34 powershell.exe 24->34         started        36 powershell.exe 24->36         started        53 C:\Users\user\AppData\Local\...\Setup.tmp, PE32 27->53 dropped 38 Setup.tmp 3 12 27->38         started        file10 signatures11 process12 file13 109 Found many strings related to Crypto-Wallets (likely being stolen) 29->109 111 Loading BitLocker PowerShell Module 29->111 41 conhost.exe 29->41         started        43 conhost.exe 32->43         started        45 conhost.exe 34->45         started        47 conhost.exe 36->47         started        55 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 38->55 dropped signatures14 process15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7dae70f040b7ff11b7f3bd92f78e409d88a279a593990beafe8208a2df86d5c7
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.18 Win 32 Exe x86
Link:
https://app.malva.re/file/3e148182552295d2725bb68de5d5a1d0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7dae70f040b7ff11b7f3bd92f78e409d88a279a593990beafe8208a2df86d5c7/
Verdict:
Malicious
Threat:
Trojan.MSIL.APosT
Link:
https://tip.neiki.dev/file/7dae70f040b7ff11b7f3bd92f78e409d88a279a593990beafe8208a2df86d5c7
Threat name:
ByteCode-MSIL.Trojan.Cassiopeia
Create hunting rule
Status:
Malicious
First seen:
2025-12-13 00:46:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pwxhb4caw77rdn7txwjppdsatweke6nfsomqx2x6qiekfx4g2xdq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
unc_loader_078
Create hunting rule
Similar samples:
7dae70f040b7ff11b7f3bd92f78e409d88a279a593990beafe8208a2df86d5c7
XWorm
a21ea3be11dab8ff00566411bca41ea6c635ac29ed71bca8274da560387701c9
XWorm
b683ba948e1d61180ff6a08d72f354e3280c260e7f8ff2cf3c9ca40bc9c76c4b
XWorm
error
XWorm
ff01cac434318c68a1a8f54d58e4963f69d8c5ebaa7847c915363067df0c3f5f
XWorm
+ 111 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution installer persistence ransomware rat spyware stealer trojan
Link:
https://tria.ge/reports/251213-bcz46aykcm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Inno Setup is an open-source installation builder for Windows applications.
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bee6b77c-60dc-4008-af51-5d432765854a
Unpacked files
SH256 hash:
7dae70f040b7ff11b7f3bd92f78e409d88a279a593990beafe8208a2df86d5c7
MD5 hash:
3e148182552295d2725bb68de5d5a1d0
SHA1 hash:
67df65c0784fabe8a165904b4ed3bddc77d3af12
Link:
https://www.unpac.me/results/bae65edf-fd20-40a2-968c-edd49d7c56e8/
SH256 hash:
bc3ac032b1d06065b90787552065f2b0b9e188480a46b2b0537858392d735974
MD5 hash:
d87ef37b2a9db88f9d6720b45e4a4daa
SHA1 hash:
eb4a13ce8c89456ddf41217ac8e160549ea0e991
Link:
https://www.unpac.me/results/bae65edf-fd20-40a2-968c-edd49d7c56e8/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/bae65edf-fd20-40a2-968c-edd49d7c56e8/
SH256 hash:
3492e53dacf5cd5a7c8f837933740fb1b728489fa981e043428eeaaeaf2199a6
MD5 hash:
78c1e17ed9ee33fe6e25813d0b0b4278
SHA1 hash:
09a60f8c7dd60c22e5ea2f8741d4f5a16ad3da1f
Link:
https://www.unpac.me/results/bae65edf-fd20-40a2-968c-edd49d7c56e8/
SH256 hash:
6931bb797b1f33729022e3dba7e55d3ad7e08858f6fef569f19f1dd6e0cff5b1
MD5 hash:
d4f719c2acefc1d60c65749c08310f2a
SHA1 hash:
968d03db25310859b31c8eb19410ca948009794b
Detections:
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD
Create hunting rule
Link:
https://www.unpac.me/results/bae65edf-fd20-40a2-968c-edd49d7c56e8/
SH256 hash:
281c3651bed9202b1c0ca1f685e3577907e103122f0800806d9e3e5d2e8a0983
MD5 hash:
18eddca199d7ddd69c94667069dfc0b3
SHA1 hash:
82a34d0d97c109bbe5e7cb8fef3bed601ca0a051
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD
Create hunting rule
Link:
https://www.unpac.me/results/bae65edf-fd20-40a2-968c-edd49d7c56e8/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7dae70f040b7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7dae70f040b7ff11b7f3bd92f78e409d88a279a593990beafe8208a2df86d5c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/44492/

Comments