MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f6eacd84180c9f8e7147154d02ad0154718af1ea0780f5cd9775823912f30fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f6eacd84180c9f8e7147154d02ad0154718af1ea0780f5cd9775823912f30fa
SHA3-384 hash: 05439c0fe20375c279401dd17e4a593e5a7511a5fadec0134785231796f597fbe46bcb88b8657ebd3db1a2134a054167
SHA1 hash: 918ad8b1ae27ca184e036a0a4318b645290ab966
MD5 hash: c2eac887f79a5d813957fe79d4809393
humanhash: muppet-utah-ink-october
File name:7f6eacd84180c9f8e7147154d02ad0154718af1ea0780.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:41'984 bytes
First seen:2025-07-14 20:30:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:QeHUrTYj/U2CG0u00OZ8F7KGpClRAERXyFi9OH6UOCh1F/q:PHU/O/U2CG0u6vG7Fi9OH6UOC7A
Threatray 1'471 similar samples on MalwareBazaar
TLSH T18A136D447BE5463ADEEE6FF519B3A2060731F5039913E78E0CC4899A1B6BBC0C911796
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
2.59.133.45:7001

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
2.59.133.45:7001 https://threatfox.abuse.ch/ioc/1556693/

Intelligence

File Origin
# of uploads :
1
# of downloads :
41
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random1.exe
Verdict:
Malicious activity
Analysis date:
2025-07-14 15:16:51 UTC
Tags:
auto purelogsstealer amadey botnet stealer loader rdp delphi gcleaner generic telegram lumma xworm crypto-regex remote qrcode
Link:
https://app.any.run/tasks/e83d9d0a-4255-4b29-b927-5cdf1cc36063

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/14318/
Detection(s):
Win.Packed.njRAT-10002074-1
Create hunting rule

Win.Packed.Msilzilla-10002982-0
Create hunting rule

Win.Packed.Msilzilla-10019837-0
Create hunting rule

Win.Packed.Loveletter-10023052-0
Create hunting rule

Win.Dropper.Nanocore-10024427-0
Create hunting rule

Win.Packed.Loveletter-10024677-0
Create hunting rule

Win.Packed.Msilzilla-10026193-0
Create hunting rule

Win.Malware.Deepscan-10028866-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687568e9900df8e7f86ab8bf
Tags:
asyncrat autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file
Launching a process
Creating a window
Connection attempt
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Creating a file in the mass storage device
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Encrypting user's files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
njrat obfuscated packed packer_detected rat vbnet xworm
Link:
https://www.filescan.io/uploads/687568f78a7d628a81ae5ec3/reports/e2a55702-cdd0-4333-a617-fcc291f78ea4/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/7f6eacd84180c9f8e7147154d02ad0154718af1ea0780f5cd9775823912f30fa
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/850b2b64-aa72-4219-963b-f34d93c6a067
Result
Threat name:
HakunaMatata, KeyLogger, StormKitty, XWo
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1736508
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Found malware configuration
Found potential ransomware demand text
Found ransom note / readme
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Yara detected BrowserPasswordDump
Yara detected HakunaMatata Ransomware
Yara detected Keylogger Generic
Yara detected StormKitty Stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1736508 Sample: 7f6eacd84180c9f8e7147154d02... Startdate: 14/07/2025 Architecture: WINDOWS Score: 100 66 Suricata IDS alerts for network traffic 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 19 other signatures 2->72 7 7f6eacd84180c9f8e7147154d02ad0154718af1ea0780.exe 6 31 2->7         started        12 winlogon.exe 2->12         started        14 rundll32.exe 2->14         started        16 6 other processes 2->16 process3 dnsIp4 64 2.59.133.45, 49721, 7001 DE-FIRSTCOLOwwwfirst-colonetDE Germany 7->64 48 C:\Users\user\AppData\Local\winlogon.exe, PE32 7->48 dropped 50 C:\Users\user\AppData\Local\Temp\hqvzxv.exe, PE32 7->50 dropped 52 C:\Users\user\AppData\Local\Temp\qtfyhm.txt, Unicode 7->52 dropped 54 C:\Users\user\AppData\Local\Temp\fvsjqu.exe, PE32+ 7->54 dropped 78 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->78 80 Creates multiple autostart registry keys 7->80 82 Writes a notice file (html or txt) to demand a ransom 7->82 88 4 other signatures 7->88 18 hqvzxv.exe 7->18         started        22 powershell.exe 23 7->22         started        24 powershell.exe 23 7->24         started        26 5 other processes 7->26 84 Multi AV Scanner detection for dropped file 12->84 86 Found potential ransomware demand text 14->86 file5 signatures6 process7 file8 44 C:\Users\user\AppData\Local\rundll32.exe, PE32 18->44 dropped 46 C:\Users\user\AppData\...\hqvzxv.exe.log, CSV 18->46 dropped 74 Found potential ransomware demand text 18->74 28 rundll32.exe 18->28         started        76 Loading BitLocker PowerShell Module 22->76 32 conhost.exe 22->32         started        34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        38 conhost.exe 26->38         started        40 conhost.exe 26->40         started        42 fvsjqu.exe 26->42         started        signatures9 process10 file11 56 C:\Users\user\Links\Readme.txt, ASCII 28->56 dropped 58 C:\Users\user\Desktop\ZSSZYEFYMU.xlsx, data 28->58 dropped 60 C:\Users\user\Desktop\...\ZSSZYEFYMU.xlsx, data 28->60 dropped 62 2 other malicious files 28->62 dropped 90 Found potential ransomware demand text 28->90 92 Creates multiple autostart registry keys 28->92 94 Modifies existing user documents (likely ransomware behavior) 28->94 signatures12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7f6eacd84180c9f8e7147154d02ad0154718af1ea0780f5cd9775823912f30fa
Verdict:
njRat
YARA:
13 match(es)
Tags:
.Net Executable njRat PE (Portable Executable) RAT SOS: 0.03 Win 32 Exe x86
Link:
https://app.malva.re/file/c2eac887f79a5d813957fe79d4809393
Detection:
xworm
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7f6eacd84180c9f8e7147154d02ad0154718af1ea0780f5cd9775823912f30fa/
Threat name:
ByteCode-MSIL.Backdoor.XWormRAT
Create hunting rule
Status:
Malicious
First seen:
2025-07-14 18:23:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p5xkzwcbqde7rzyuofknakwqcvdrrly6ub4a6xgzo5mchejpgd5a._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
26820452d6f45063a5f396e9a4ffa4a1979a5a0e39afe5b4c96440baaa74c443
XWorm
44f611726336cec3fa65ba287bf135af2cd43c6441ead65ce4a54c154ea80f90
XWorm
717157d1d9377a0353d9a17f80c1a5571324851954cf381e58796d0ed7916ecc
XWorm
7f6eacd84180c9f8e7147154d02ad0154718af1ea0780f5cd9775823912f30fa
XWorm
9e635f3e25b5ef386e2ffb4facc56eb6c5394ee06fb58a03453d783ffec61933
XWorm
b22198ac3df18326aba01db3b50038e880327bad5ec59cc248848cd98d5eb0f6
XWorm
ed8bd59c514a257fd97b34500a3aa6c177878272e468aeea3c8ddfa64f244312
XWorm
error
XWorm
+ 1'461 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:stormkitty family:xworm discovery execution persistence pyinstaller ransomware rat spyware stealer trojan
Link:
https://tria.ge/reports/250714-zadedabn3v/
Behaviour
Modifies registry class
Opens file in notepad (likely ransom note)
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
Sets desktop wallpaper using registry
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
StormKitty
StormKitty payload
Stormkitty family
Xworm
Xworm family
Malware Config
C2 Extraction:
2.59.133.45:7001
Verdict:
Malicious
Tags:
rat xworm trojan Win.Packed.njRAT-10002074-1
YARA:
MALWARE_Win_XWorm win_mal_XWorm win_xworm_bytestring Windows_Generic_Threat_b509dfc8
Link:
https://app.threat.zone/submission/298f16d1-0a30-4164-8548-a6e9be39702a
Unpacked files
SH256 hash:
7f6eacd84180c9f8e7147154d02ad0154718af1ea0780f5cd9775823912f30fa
MD5 hash:
c2eac887f79a5d813957fe79d4809393
SHA1 hash:
918ad8b1ae27ca184e036a0a4318b645290ab966
Detections:
win_xworm_w0
Create hunting rule
XWorm
Create hunting rule
Link:
https://www.unpac.me/results/e2b84cce-c031-4370-b846-1bdf781f34ec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7f6eacd84180c9f8e7147154d02ad0154718af1ea0780f5cd9775823912f30fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Windows_Generic_Threat_b509dfc8
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_XWorm_b7d6eaa8
Create hunting rule
Author:Elastic Security
Rule name:win_xworm_bytestring
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects bytestring present in unobfuscated xworm
Rule name:win_xworm_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:xworm
Create hunting rule
Author:jeFF0Falltrades
Rule name:xworm_kingrat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/14318/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments