MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86cdddef536b2d56b43e91095abd41a465db9baffedb1aae557eac1bef7b7439. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	86cdddef536b2d56b43e91095abd41a465db9baffedb1aae557eac1bef7b7439
SHA3-384 hash:	22f3ed342f4c5960df3948fbc079df614e0d899e55a9ecf7879da3a5e7c2d47170e4e12b4adcdd227f195d503145c78e
SHA1 hash:	409cf0161ee117ef7e176e62c20ea0c80e4b4ac7
MD5 hash:	086e33b2cce7f1460f7828c2f1961394
humanhash:	edward-bacon-bulldog-finch
File name:	86cdddef536b2d56b43e91095abd41a465db9baffedb1aae557eac1bef7b7439
Download:	download sample
Signature	XWorm Create hunting rule
File size:	289'112 bytes
First seen:	2026-02-02 19:03:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e6f1598b2a519998440d496a93dd671e (1 x XWorm)
ssdeep	6144:K7PjPSpCEyyDVWHP5KD+spMVdSN16TsVXAt1UJsGRU5WM/07wMVd:KTSCZIWHP5KD+spMVdSN16TsVXAt1UJH
TLSH	T1CC54AE8E329439DFC877C472ABB55EE4E7586C7A531B810B90A3119C9E2D587FF042E2
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	johnk3r
Tags:	exe signed xworm

Code Signing Certificate

Organisation:	ATF TEXTİLE DIŞ TİCARET SANAYİ LİMİTED ŞİRKETİ
Issuer:	Sectigo Public Code Signing CA EV R36
Algorithm:	sha256WithRSAEncryption
Valid from:	2026-01-16T00:00:00Z
Valid to:	2027-01-16T23:59:59Z
Serial number:	56a83022f71f3c701cd3bfea1d8202df
Intelligence:	3 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:	This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	04d4e6235025dacf4e4c6bec27fb9d8310755b455414695c9d76d5d081a86d13
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

133

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

ConfuserEx

Details

ConfuserEx

decrypted strings and possibly embedded components

Link:

https://research.acce.ciphertechsolutions.com/results/51872bb2-d8b8-4532-be1e-25aa76a24579/

Malware family:

n/a

ID:

File name:

86cdddef536b2d56b43e91095abd41a465db9baffedb1aae557eac1bef7b7439.bin

Verdict:

Malicious activity

Analysis date:

2026-01-26 18:20:31 UTC

Tags:

remote xworm confuser loader

Link:

https://app.any.run/tasks/7e4e6698-71c1-4af1-a019-628ee7520bad

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/51326/

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6980f53e0bdf9fb6cc0970dd

Tags:

injection packed obfusc spam

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

confuser confuserex microsoft_visual_cc obfuscated obfuscated packed signed

Link:

https://www.filescan.io/uploads/6980f53e2ffccda097663e30/reports/9ffb25ba-c2f9-4e68-8aa9-5f162faf8434/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/86cdddef536b2d56b43e91095abd41a465db9baffedb1aae557eac1bef7b7439

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-01-26T13:58:00Z UTC

Last seen:

2026-02-03T05:14:00Z UTC

Hits:

~100

Detections:

Backdoor.Agent.TCP.C&C HEUR:Backdoor.MSIL.Agent.gen Backdoor.MSIL.XWorm.c Backdoor.MSIL.XWorm.b

Link:

https://opentip.kaspersky.com/86cdddef536b2d56b43e91095abd41a465db9baffedb1aae557eac1bef7b7439/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/7bc9e70e-e7e2-44f0-bbe9-779b39587b4e

Result

Threat name:

XWorm

Detection:

malicious

Classification:

troj.evad

Score:

44 / 100

Link:

https://www.joesandbox.com/analysis/1861923

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Score:

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/86cdddef536b2d56b43e91095abd41a465db9baffedb1aae557eac1bef7b7439

Verdict:

inconclusive

YARA:

7 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 1.00 Win 64 Exe x64

Link:

https://app.malva.re/file/086e33b2cce7f1460f7828c2f1961394

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/86cdddef536b2d56b43e91095abd41a465db9baffedb1aae557eac1bef7b7439/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/86cdddef536b2d56b43e91095abd41a465db9baffedb1aae557eac1bef7b7439

Threat name:

Win64.Trojan.Egairtigado

Status:

Malicious

First seen:

2026-01-26 21:18:02 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q3g5332tnmwvnnb6seevvpkburs5xg5p73nrvlsvp2wbx333oq4q._file

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm rat trojan

Link:

https://tria.ge/reports/260202-xq46xsav2f/

Behaviour

Suspicious use of AdjustPrivilegeToken

ConfuserEx .NET packer

Downloads MZ/PE file

Detect Xworm Payload

Xworm

Xworm family

Unpacked files

SH256 hash:

86cdddef536b2d56b43e91095abd41a465db9baffedb1aae557eac1bef7b7439

MD5 hash:

086e33b2cce7f1460f7828c2f1961394

SHA1 hash:

409cf0161ee117ef7e176e62c20ea0c80e4b4ac7

Link:

https://www.unpac.me/results/adda5c37-f87b-4636-a1a8-f677177bf047/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.05

Link:

https://yomi.yoroi.company/submissions/86cdddef536b2d56b43e91095abd41a465db9baffedb1aae557eac1bef7b7439

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BlackGuard_Rule Create hunting rule
Author:	Jiho Kim
Description:	Yara rule for BlackGuarad Stealer v1.0 - v3.0
Reference:	https://www.virustotal.com/gui/file/67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71/detection

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/51326/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample