MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88067e120c8b5186776b1acad8a57c310568693cf0c109b5d5cca5667b5767ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88067e120c8b5186776b1acad8a57c310568693cf0c109b5d5cca5667b5767ef
SHA3-384 hash: 5656105f955eca75d8f638974758c35c757a65b14231c750e2084a5e26b7f3c9e583b595dc8ee5b540a4a06fdac41268
SHA1 hash: 30949dfc13e2890afd4cbf595902584aa6e42da8
MD5 hash: 2f932d7274db20d3d27ea9ae69e684bf
humanhash: potato-yankee-quebec-low
File name:88067e120c8b5186776b1acad8a57c310568693cf0c109b5d5cca5667b5767ef
Download: download sample
Signature XWorm
Create hunting rule
File size:324'608 bytes
First seen:2025-01-17 08:12:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:tx+DoLeAx3T++PLaS3j83ezcCffOswGsWGdWyHnZm7Wgf23d6Lmt:tnxSS3fzcCXJw+GEynH6Lm
TLSH T1FA642341C86C8096EE35ED398EFBF41947A5DB822503C64F7A4A5F5084373A7CA6B3C6
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter JAMESWT_WT
Tags:62-122-184-98 booking exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
444
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
88067e120c8b5186776b1acad8a57c310568693cf0c109b5d5cca5667b5767ef
Verdict:
Malicious activity
Analysis date:
2025-01-17 09:44:35 UTC
Tags:
rat asyncrat remote purehvnc stealer
Link:
https://app.any.run/tasks/544787f3-2eaf-49ef-8740-0f64eb9098fd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.21924.8051.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=678a11114487910100dfbcaa
Tags:
asyncrat dropper virus msil
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
net_reactor obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/678a1114ba38081b4a1a2ef9/reports/b2ace145-5906-45ad-9838-c9dd80521973/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/88067e120c8b5186776b1acad8a57c310568693cf0c109b5d5cca5667b5767ef
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/291e31ca-1877-425a-8f32-93c799664eb8
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1593500
Signature
.NET source code contains very large array initializations
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/88067e120c8b5186776b1acad8a57c310568693cf0c109b5d5cca5667b5767ef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88067e120c8b5186776b1acad8a57c310568693cf0c109b5d5cca5667b5767ef/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2025-01-17 08:13:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=radh4eqmrniym53ldlfnrjl4gecwq2j46daqtnovzsswm62xm7xq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250117-j4exasypbq/
Behaviour
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1efc106d-c036-4ff3-b1a4-961cab053aa3
Unpacked files
SH256 hash:
43d75c4c8d373c7bd17ea6799076f0b101a6314a5b804a11b8141be94f91ac96
MD5 hash:
dd9df45df22507c98cf21c24d81a8883
SHA1 hash:
57232134925664d06368be60d71fb034ca7e2c8b
Link:
https://www.unpac.me/results/101b02aa-7fd2-4a17-8be8-d89328f8487f/
SH256 hash:
88067e120c8b5186776b1acad8a57c310568693cf0c109b5d5cca5667b5767ef
MD5 hash:
2f932d7274db20d3d27ea9ae69e684bf
SHA1 hash:
30949dfc13e2890afd4cbf595902584aa6e42da8
Link:
https://www.unpac.me/results/101b02aa-7fd2-4a17-8be8-d89328f8487f/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments