MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ebf3abd2208ff479bd6b3a546833f757c90519c377ef13a7f08549d6d32437a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ebf3abd2208ff479bd6b3a546833f757c90519c377ef13a7f08549d6d32437a
SHA3-384 hash: 508f0808d566cef1a6934626198706f0c0a9a2a7a22a9cd94fa123cba81a3df76a4fef5978c058d3289a5873673307d9
SHA1 hash: 60fee55ae8ea754751f63aeeb4a7b58a8a3de960
MD5 hash: 04f19d542018fbee2f0cf1da0114be7c
humanhash: steak-steak-oklahoma-table
File name:04f19d542018fbee2f0cf1da0114be7c.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:8'931'748 bytes
First seen:2025-09-06 19:30:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2ac0df3cb49d714c81e70b5b92c304f2 (3 x HijackLoader, 1 x ACRStealer, 1 x DeerStealer)
ssdeep 196608:4iNEhtYiIvB0VsFGtmC17CZJ3lk5OTn8hi+P0pYTOu9qhNif:dEhtYIVyGtzGJ1k5OYY+PV
Threatray 2'348 similar samples on MalwareBazaar
TLSH T1F096E1137690903EE5AA02714C6FAE6485A57D738A314257F7A0FF1D2DF05C2BA23B1B
TrID 88.5% (.AX) DirectShow filter (201555/2/20)
4.6% (.EXE) Win64 Executable (generic) (10522/11/4)
2.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.9% (.EXE) Win32 Executable (generic) (4504/4/1)
0.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
104.161.17.20:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
104.161.17.20:443 https://threatfox.abuse.ch/ioc/1582861/

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
04f19d542018fbee2f0cf1da0114be7c.exe
Verdict:
No threats detected
Analysis date:
2025-09-06 19:32:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/397bb554-6b7c-431f-92d4-f06ed3b40e98

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26026/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bc8bf63e988eb6ab843b68
Tags:
vmdetect phonzy
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Creating a file in the %AppData% subdirectories
Connection attempt
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm explorer fingerprint lolbin microsoft_visual_cc msiexec obfuscated overlay packed packer_detected remote runonce threat
Link:
https://www.filescan.io/uploads/68bc8bf120d0ee406d9834c6/reports/ea0165d4-8c52-4994-939f-77d3c65deb3c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7ebf3abd2208ff479bd6b3a546833f757c90519c377ef13a7f08549d6d32437a
Verdict:
Unknown
File Type:
exe x32
Link:
https://opentip.kaspersky.com/7ebf3abd2208ff479bd6b3a546833f757c90519c377ef13a7f08549d6d32437a/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0bf57580-01e7-4f42-9b2d-1a818c362ae2
Result
Threat name:
HijackLoader, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1772442
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Yara detected HijackLoader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1772442 Sample: 1IxkrFwivx.exe Startdate: 06/09/2025 Architecture: WINDOWS Score: 100 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for dropped file 2->67 69 8 other signatures 2->69 9 1IxkrFwivx.exe 29 2->9         started        process3 file4 33 C:\Users\user\AppData\Local\...\setup.exe, PE32 9->33 dropped 35 C:\Users\user\AppData\Local\...\ISSetup.dll, PE32 9->35 dropped 37 C:\Users\user\...\1IxkrFwivx.exe (copy), PE32 9->37 dropped 39 C:\Users\user\AppData\...\1IxkrFwivx.exe, PE32 9->39 dropped 12 1IxkrFwivx.exe 58 9->12         started        process5 file6 43 C:\Users\user\AppData\Local\...\ISSetup.dll, PE32 12->43 dropped 45 C:\Users\user\AppData\Local\...\mfc9E03.tmp, PE32+ 12->45 dropped 47 C:\Users\user\AppData\...\mfc110u.dll (copy), PE32+ 12->47 dropped 49 16 other malicious files 12->49 dropped 15 Matri-Smart.exe 7 12->15         started        19 ISBEW64.exe 12->19         started        21 ISBEW64.exe 12->21         started        23 4 other processes 12->23 process7 file8 51 C:\ProgramData\krtool_alpha\mfc110u.dll, PE32+ 15->51 dropped 53 C:\ProgramData\krtool_alpha\Matri-Smart.exe, PE32+ 15->53 dropped 55 C:\ProgramData\krtool_alpha\MSVCR110.dll, PE32+ 15->55 dropped 57 C:\ProgramData\krtool_alpha\MSVCP110.dll, PE32+ 15->57 dropped 61 Found direct / indirect Syscall (likely to bypass EDR) 15->61 25 Matri-Smart.exe 4 15->25         started        signatures9 process10 file11 41 C:\Users\user\AppData\Roaming\...\Chime.exe, PE32 25->41 dropped 71 Maps a DLL or memory area into another process 25->71 73 Found direct / indirect Syscall (likely to bypass EDR) 25->73 29 Chime.exe 2 25->29         started        signatures12 process13 dnsIp14 59 104.161.17.20, 443, 49721 IOFLOODUS United States 29->59 75 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->75 77 Switches to a custom stack to bypass stack traces 29->77 79 Found direct / indirect Syscall (likely to bypass EDR) 29->79 signatures15
Score:
37%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/7ebf3abd2208ff479bd6b3a546833f757c90519c377ef13a7f08549d6d32437a
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ebf3abd2208ff479bd6b3a546833f757c90519c377ef13a7f08549d6d32437a/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-04 10:43:00 UTC
File Type:
PE (Exe)
Extracted files:
1028
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p27tvpjcbd7upg6wwosunaz7ov6jaum4g57pcot7bbkj23jsin5a._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
23e4b691dc7bb0880e1383832e081071901967cb33978d8bce39c2cf0e720407
XWorm
2689f1911629e858f5ef34dc68fb0bc2acc95c901abe37f946a92cf0ee7c6e3e
XWorm
4412cd9b7b42bb5d649f16c0c7c234e263a49b6f589daa16d5b34f0b2c665ff3
XWorm
71026d8d4633c7f76147cb7ccdb1c0305e8959e25a9210f749a09c8ed31f8a93
XWorm
error
XWorm
+ 2'338 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:xworm discovery loader rat trojan
Link:
https://tria.ge/reports/250906-x762vazmx7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Detect Xworm Payload
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Xworm
Xworm family
Malware Config
C2 Extraction:
104.161.17.20:443
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7c37338b-0d71-426b-9665-f695166e857b
Unpacked files
SH256 hash:
7ebf3abd2208ff479bd6b3a546833f757c90519c377ef13a7f08549d6d32437a
MD5 hash:
04f19d542018fbee2f0cf1da0114be7c
SHA1 hash:
60fee55ae8ea754751f63aeeb4a7b58a8a3de960
Link:
https://www.unpac.me/results/f4f77062-ea54-4793-9c95-5bb1f931e1e9/
SH256 hash:
3030a0abc780611ae2bb389817dfb41633c76d6a30239818c2c5958f3727faac
MD5 hash:
5ffbaf9114e13bc5ca2f60cd95d78aa2
SHA1 hash:
883f9108b79d45d057c8ab95db239eab47da6609
Link:
https://www.unpac.me/results/f4f77062-ea54-4793-9c95-5bb1f931e1e9/
Malware family:
GHOSTPULSE
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ebf3abd2208/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ebf3abd2208ff479bd6b3a546833f757c90519c377ef13a7f08549d6d32437a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/26026/

Comments