MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ffa3011fcb679f93ad497805584a5808ad224091b74f774b46e41fb337bdd4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ffa3011fcb679f93ad497805584a5808ad224091b74f774b46e41fb337bdd4e
SHA3-384 hash: 411324d3d3bb9f896a2a4f06a5c5460d6319a820dadec8aca24652205fc582d196b29f5cd9b03baf06c879506181799b
SHA1 hash: 40510b6447edc26b21f5ce20ec7c7f18a3469c90
MD5 hash: f8515ac938352e7378a4dcae1300fb8f
humanhash: jupiter-august-network-robin
File name:F8515AC938352E7378A4DCAE1300FB8F.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:3'736'064 bytes
First seen:2025-09-19 08:25:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'845 x AgentTesla, 19'778 x Formbook, 12'302 x SnakeKeylogger)
ssdeep 98304:Th9NKGpeBYfuZwgGHKruNP1SIXRNYcAjzYD7PlLZ:sGpkYfeGqMHYslN
Threatray 1'811 similar samples on MalwareBazaar
TLSH T1B00633ACF91172EEDC1AC0B297AD0CE9F636ACBBC70F015B1063955E5D0C487DE950AA
TrID 28.5% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.2% (.EXE) Win32 Executable (generic) (4504/4/1)
5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
147.185.221.31:22366

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
147.185.221.31:22366 https://threatfox.abuse.ch/ioc/1595582/

Intelligence

File Origin
# of uploads :
1
# of downloads :
146
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
F8515AC938352E7378A4DCAE1300FB8F.exe
Verdict:
Malicious activity
Analysis date:
2025-09-19 08:36:14 UTC
Tags:
auto-sch auto-reg auto-startup remote xworm ahk loader amsi-bypass
Link:
https://app.any.run/tasks/37de3bce-aeae-4b12-a549-9a4b4c1c83df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
R77
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28287/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cd139d246a2631bd310024
Tags:
autorun redline
Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
confuser confuserex net obfuscated obfuscated packed packed reconnaissance vbnet
Link:
https://www.filescan.io/uploads/68cd13a0e39a6830ee40a2fc/reports/d06049e5-5902-4eee-8801-5184f0e0ab5b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7ffa3011fcb679f93ad497805584a5808ad224091b74f774b46e41fb337bdd4e
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-10T09:28:00Z UTC
Last seen:
2025-09-10T09:28:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/7ffa3011fcb679f93ad497805584a5808ad224091b74f774b46e41fb337bdd4e/results?tab=lookup
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/633c7134-1196-4d71-a3a6-c56107b51647
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1780573
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops PE files to the user root directory
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has nameless sections
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample or dropped binary is a compiled AutoHotkey binary
Sample uses string decryption to hide its real strings
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected UAC Bypass using CMSTP
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1780573 Sample: 6eZcoAUfSq.exe Startdate: 19/09/2025 Architecture: WINDOWS Score: 100 118 wish-license.gl.at.ply.gg 2->118 126 Found malware configuration 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 Antivirus detection for dropped file 2->130 132 21 other signatures 2->132 12 6eZcoAUfSq.exe 4 2->12         started        16 powershell.exe 2->16         started        18 powershell.exe 2->18         started        20 6 other processes 2->20 signatures3 process4 file5 112 C:\Users\user\AppData\Local\...\x69Auto.exe, PE32 12->112 dropped 114 C:\Users\...\AutoHotkey_1.1.37.02_setup.exe, PE32 12->114 dropped 116 C:\Users\user\AppData\...\6eZcoAUfSq.exe.log, CSV 12->116 dropped 182 Detected unpacking (changes PE section rights) 12->182 22 x69Auto.exe 2 4 12->22         started        26 AutoHotkey_1.1.37.02_setup.exe 16 12->26         started        184 Writes to foreign memory regions 16->184 186 Modifies the context of a thread in another process (thread injection) 16->186 188 Injects a PE file into a foreign processes 16->188 28 dllhost.exe 16->28         started        30 conhost.exe 16->30         started        32 conhost.exe 18->32         started        signatures6 process7 file8 100 C:\Users\user\x69m5tl.exe, PE32 22->100 dropped 102 C:\Users\user\Install.exe, PE32 22->102 dropped 156 Antivirus detection for dropped file 22->156 158 Creates multiple autostart registry keys 22->158 160 Bypasses PowerShell execution policy 22->160 168 3 other signatures 22->168 34 x69m5tl.exe 1 5 22->34         started        39 powershell.exe 23 22->39         started        41 Install.exe 22->41         started        53 5 other processes 22->53 104 C:\Users\user\AppData\Local\...\setup.exe, PE32 26->104 dropped 106 C:\Users\user\AppData\...\Unicode 64-bit.bin, PE32+ 26->106 dropped 108 C:\Users\user\AppData\...\Unicode 32-bit.bin, PE32 26->108 dropped 110 5 other malicious files 26->110 dropped 43 setup.exe 12 26->43         started        162 Contains functionality to inject code into remote processes 28->162 164 Writes to foreign memory regions 28->164 166 Creates a thread in another existing process (thread injection) 28->166 170 2 other signatures 28->170 45 winlogon.exe 28->45 injected 47 svchost.exe 28->47 injected 49 lsass.exe 28->49 injected 51 dwm.exe 28->51 injected signatures9 process10 dnsIp11 120 wish-license.gl.at.ply.gg 147.185.221.31, 22366, 49692, 49694 SALSGIVERUS United States 34->120 98 C:\Users\user\AppData\Roaming\x699ssm5t.exe, PE32 34->98 dropped 134 Antivirus detection for dropped file 34->134 136 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->136 138 Protects its processes via BreakOnTermination flag 34->138 154 2 other signatures 34->154 55 powershell.exe 34->55         started        58 powershell.exe 34->58         started        60 powershell.exe 34->60         started        70 2 other processes 34->70 140 Found suspicious powershell code related to unpacking or dynamic code loading 39->140 142 Loading BitLocker PowerShell Module 39->142 62 conhost.exe 39->62         started        144 Multi AV Scanner detection for dropped file 41->144 146 Contains functionality to register a low level keyboard hook 43->146 148 Sample or dropped binary is a compiled AutoHotkey binary 43->148 64 dllhost.exe 45->64         started        66 dllhost.exe 45->66         started        150 Suspicious powershell command line found 47->150 152 Obfuscated command line found 47->152 68 conhost.exe 53->68         started        72 2 other processes 53->72 file12 signatures13 process14 signatures15 172 Loading BitLocker PowerShell Module 55->172 74 conhost.exe 55->74         started        76 conhost.exe 58->76         started        78 conhost.exe 60->78         started        174 Writes to foreign memory regions 64->174 176 Creates a thread in another existing process (thread injection) 64->176 178 Injects a PE file into a foreign processes 64->178 80 svchost.exe 64->80 injected 83 svchost.exe 64->83 injected 85 svchost.exe 64->85 injected 91 10 other processes 64->91 180 Injects code into the Windows Explorer (explorer.exe) 66->180 87 svchost.exe 66->87 injected 89 conhost.exe 70->89         started        process16 signatures17 122 Suspicious powershell command line found 80->122 124 Obfuscated command line found 80->124 93 powershell.exe 80->93         started        process18 signatures19 190 Writes to foreign memory regions 93->190 192 Modifies the context of a thread in another process (thread injection) 93->192 194 Injects a PE file into a foreign processes 93->194 96 conhost.exe 93->96         started        process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7ffa3011fcb679f93ad497805584a5808ad224091b74f774b46e41fb337bdd4e
Verdict:
inconclusive
YARA:
9 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.99 Win 32 Exe x86
Link:
https://app.malva.re/file/f8515ac938352e7378a4dcae1300fb8f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ffa3011fcb679f93ad497805584a5808ad224091b74f774b46e41fb337bdd4e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-10 17:02:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p75daep4wz47sowus6aflbffqcfnejajdn2po5funza7wm333vha._file
Verdict:
malicious
Label(s):
admintool_autohotkey
Create hunting rule
xworm
Create hunting rule
Similar samples:
0264e2223b01653f3e19ebeb563ebc77086b78625b6c26675c85b470577cf7a4
XWorm
1de57ee7c18c6055287bf1d7d3407817ddd745a35ac97f3f0883d312b3d87b88
XWorm
53d1f7873ac35c78024d4c7ebee1ad2ad3bdfe5003ffbf4bec730184b4bcf738
XWorm
7ffa3011fcb679f93ad497805584a5808ad224091b74f774b46e41fb337bdd4e
XWorm
b389c64f9d803b37169305a88ba4a1ccb6da1c6d4651867dd5b3c2b4455b2114
XWorm
error
XWorm
+ 1'801 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion discovery execution persistence rat trojan
Link:
https://tria.ge/reports/250919-kbx3vaxzev/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
ConfuserEx .NET packer
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Command and Scripting Interpreter: PowerShell
Sets service image path in registry
Detect Xworm Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm
Xworm family
Malware Config
C2 Extraction:
wish-license.gl.at.ply.gg:22366
Verdict:
Malicious
Tags:
red_team_tool
YARA:
SUSP_NET_NAME_ConfuserEx
Link:
https://app.threat.zone/submission/0b8e87d5-4085-4761-9468-4632491b0242
Unpacked files
SH256 hash:
7ffa3011fcb679f93ad497805584a5808ad224091b74f774b46e41fb337bdd4e
MD5 hash:
f8515ac938352e7378a4dcae1300fb8f
SHA1 hash:
40510b6447edc26b21f5ce20ec7c7f18a3469c90
Link:
https://www.unpac.me/results/2b6331bc-4536-4235-a39f-fadac58000f2/
SH256 hash:
9c47ac87f76d51e0047102c7c12012f58f53235f7de20cceff7ee940a315245b
MD5 hash:
2681fa8b34a1cee708732ecac2343dd7
SHA1 hash:
531c202cfd00baf8f57b1f1671ccd5ae7aec9613
Detections:
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD
Create hunting rule
Link:
https://www.unpac.me/results/2b6331bc-4536-4235-a39f-fadac58000f2/
SH256 hash:
36c8609f219823e7eadd610a71afdc2b4e34516a30c317252c82d0e256b30935
MD5 hash:
4c697db2050bf409a4d032786f45fd60
SHA1 hash:
cfaec5b2a1b1de9116455819b1b379ee0606fff4
Link:
https://www.unpac.me/results/2b6331bc-4536-4235-a39f-fadac58000f2/
SH256 hash:
0f2218d45fa02aeecf91f2cdc3e638b957fe72c63b5b5f8a235260f4268c44c3
MD5 hash:
52d4b56ce960af8e065a82e42f383342
SHA1 hash:
145ec1ad3da62bc6720ffa7dece9287039da9270
Link:
https://www.unpac.me/results/2b6331bc-4536-4235-a39f-fadac58000f2/
SH256 hash:
e57cbfc23aaab3ed48007438f9b6fc34aa42ec1c8c73329a2f98ec61fb81c53f
MD5 hash:
a6807422fd83a9382cc5f68f89e94320
SHA1 hash:
07cf4f4a5c2d3c869e9cc0df44d7899319feefac
Link:
https://www.unpac.me/results/2b6331bc-4536-4235-a39f-fadac58000f2/
SH256 hash:
42761da4fc85e59f6896cfb587daa37f2c8a07a5730ee9ac990b799d715fcffe
MD5 hash:
49590f59fb0d38a02e11161130237b8b
SHA1 hash:
7b753aea00e4c65cebf9b08108cab44f5df28b41
Detections:
win_xworm_w0
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/2b6331bc-4536-4235-a39f-fadac58000f2/
SH256 hash:
9157fc7ae2764c949ce1c04a2a1ebca3a016bb417bdecf9579d2ab56900ca372
MD5 hash:
61952d5b251c4e3e70fffd1074e54e3e
SHA1 hash:
bdd6e740693ae01b1b16d67b6504a6bc127d2f22
Link:
https://www.unpac.me/results/2b6331bc-4536-4235-a39f-fadac58000f2/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ffa3011fcb6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ffa3011fcb679f93ad497805584a5808ad224091b74f774b46e41fb337bdd4e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_PssCaptureSnapshot_Usage
Create hunting rule
Author:Dana Behling - Just me not for personal curiosity, no company.
Description:Detects binaries abusing PssCaptureSnapshot in combination with typical combination that indicates malicious activity.
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/28287/

Comments