MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d1523bbaf9cccd544215c1dec33d97aa6cd4273dc4bb6469823c1385626d233. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d1523bbaf9cccd544215c1dec33d97aa6cd4273dc4bb6469823c1385626d233
SHA3-384 hash: 0a8bc60f01ffc2f053a636d12dcabb53e1e308ea9fd760cb6b90554e750412445e1617935167f6272aa62647bf8c9086
SHA1 hash: 96fb2cbec7c08192a9b303e2d67be2f3fc9de36e
MD5 hash: c5b06db08c6a09e62a3c537c3a61851c
humanhash: colorado-hamper-eleven-stairway
File name:update.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:489'984 bytes
First seen:2025-09-04 14:30:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:myqpUEbKB7nSOhDu9oR1yEKXrnu2xxmAXyJR4iO6GELMJsujstDWfRjTfQtbz:eUEbItuO3hwxxmACJR4+GapAfRjT0
TLSH T1DEA40100B8C060B3CE47A63470939E41EEB67D9D1B715B4F5E9D4EAE9F3329416ACE24
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
update.exe
Verdict:
Malicious activity
Analysis date:
2025-09-04 14:38:40 UTC
Tags:
auto-reg evasion
Link:
https://app.any.run/tasks/29a37d7d-b7ad-4bc6-b242-308325b064d7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/25080/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b9a2c4eb163e0ec1845824
Tags:
virus remo hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the system32 directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Running batch commands
Launching a process
Searching for synchronization primitives
Creating a process with a hidden window
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected redcap vbnet
Link:
https://www.filescan.io/uploads/68b9a3b039a6221faa7ecf30/reports/ae0a74ed-e808-43ae-8ce1-85bdc4e7312f/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/8d1523bbaf9cccd544215c1dec33d97aa6cd4273dc4bb6469823c1385626d233
Verdict:
Malicious
File Type:
exe x64
First seen:
2023-07-10T20:58:00Z UTC
Last seen:
2023-07-10T20:58:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/8d1523bbaf9cccd544215c1dec33d97aa6cd4273dc4bb6469823c1385626d233/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4fee2802-a59f-4f62-b1af-d155b99ead9b
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1771230
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Telegram RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1771230 Sample: update.exe Startdate: 04/09/2025 Architecture: WINDOWS Score: 100 103 api.telegram.org 2->103 105 ip-api.com 2->105 107 fvia.id.vn 2->107 117 Suricata IDS alerts for network traffic 2->117 119 Found malware configuration 2->119 121 Malicious sample detected (through community Yara rule) 2->121 125 21 other signatures 2->125 10 update.exe 15 11 2->10         started        15 Runtime Broker.exe 2->15         started        17 Runtime Broker.exe 2->17         started        19 4 other processes 2->19 signatures3 123 Uses the Telegram API (likely for C&C communication) 103->123 process4 dnsIp5 109 ip-api.com 208.95.112.1, 49686, 49687, 49688 TUT-ASUS United States 10->109 93 C:\Windows\System32\Runtime Broker.exe, PE32+ 10->93 dropped 95 C:\Windows\System32\????.exe, PE32+ 10->95 dropped 97 C:\Windows\System32\?? ?.exe, PE32+ 10->97 dropped 99 2 other malicious files 10->99 dropped 145 Detected unpacking (changes PE section rights) 10->145 147 Creates multiple autostart registry keys 10->147 149 Drops executables to the windows directory (C:\Windows) and starts them 10->149 151 3 other signatures 10->151 21 ????.exe 14 7 10->21         started        25 ?? ?.exe 14 5 10->25         started        27 Runtime Broker.exe 14 7 10->27         started        29 cmd.exe 10->29         started        31 ?? ?.exe 15->31         started        33 cmd.exe 15->33         started        35 MpCmdRun.exe 15->35         started        37 ?? ?.exe 17->37         started        39 cmd.exe 17->39         started        file6 signatures7 process8 file9 89 C:\ProgramData\?? ?.exe, PE32 21->89 dropped 127 Multi AV Scanner detection for dropped file 21->127 129 Bypasses PowerShell execution policy 21->129 131 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->131 43 3 other processes 21->43 133 Adds a directory exclusion to Windows Defender 25->133 48 3 other processes 25->48 91 C:\Program Files\?? ?.exe, PE32+ 27->91 dropped 50 2 other processes 27->50 52 2 other processes 29->52 54 3 other processes 31->54 56 2 other processes 33->56 41 conhost.exe 35->41         started        58 3 other processes 37->58 60 2 other processes 39->60 signatures10 process11 dnsIp12 111 171.247.57.227, 4444, 49700, 49702 VIETEL-AS-APViettelGroupVN Viet Nam 43->111 113 api.telegram.org 149.154.167.220, 443, 49699 TELEGRAMRU United Kingdom 43->113 115 fvia.id.vn 172.67.172.4, 443, 49698 CLOUDFLARENETUS United States 43->115 101 C:\Users\Public\?? ?.exe, PE32 43->101 dropped 135 Protects its processes via BreakOnTermination flag 43->135 137 Creates autostart registry keys with suspicious names 43->137 139 Creates multiple autostart registry keys 43->139 141 Adds a directory exclusion to Windows Defender 43->141 62 powershell.exe 43->62         started        65 powershell.exe 43->65         started        67 powershell.exe 43->67         started        71 5 other processes 43->71 69 conhost.exe 48->69         started        73 2 other processes 48->73 75 2 other processes 50->75 77 3 other processes 54->77 143 Loading BitLocker PowerShell Module 58->143 79 3 other processes 58->79 file13 signatures14 process15 signatures16 153 Loading BitLocker PowerShell Module 62->153 81 conhost.exe 62->81         started        83 conhost.exe 65->83         started        85 conhost.exe 67->85         started        87 conhost.exe 69->87         started        process17
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8d1523bbaf9cccd544215c1dec33d97aa6cd4273dc4bb6469823c1385626d233
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.62 Win 64 Exe x64
Link:
https://app.malva.re/file/c5b06db08c6a09e62a3c537c3a61851c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d1523bbaf9cccd544215c1dec33d97aa6cd4273dc4bb6469823c1385626d233/
Threat name:
ByteCode-MSIL.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2023-07-11 01:49:09 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
16
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ruksho5pttgnkrbblqo6ym6zpktm2qtt3rf3mruyepatqvrg2izq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/250904-rx3nsawxez/
Behaviour
Suspicious use of AdjustPrivilegeToken
Looks up external IP address via web service
Loads dropped DLL
Verdict:
Malicious
Tags:
External_IP_Lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/324e6c41-61ec-4043-bf21-6237111b5684
Unpacked files
SH256 hash:
8d1523bbaf9cccd544215c1dec33d97aa6cd4273dc4bb6469823c1385626d233
MD5 hash:
c5b06db08c6a09e62a3c537c3a61851c
SHA1 hash:
96fb2cbec7c08192a9b303e2d67be2f3fc9de36e
Link:
https://www.unpac.me/results/9abd7812-b454-4a32-aa8f-73122919e204/
SH256 hash:
62fcd4cde2702bcdf63d520491a6bfe0a1f285a7768fdb41e3cb5f144d0132e6
MD5 hash:
f9ec143745c7f94e66e987d65f405587
SHA1 hash:
cc93999995955f61a8a999be1a5dc8df6e64c0f6
Link:
https://www.unpac.me/results/9abd7812-b454-4a32-aa8f-73122919e204/
SH256 hash:
d7a6489a069522ad2b504b3cc617a17b8136ec6523bc394d118836e1e9217a28
MD5 hash:
a53b9c17de491d7b228385188ef8fe80
SHA1 hash:
767749e0c35c67b0af047a8e365c986e5be30758
Link:
https://www.unpac.me/results/9abd7812-b454-4a32-aa8f-73122919e204/
SH256 hash:
7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f
MD5 hash:
94173de2e35aa8d621fc1c4f54b2a082
SHA1 hash:
fbb2266ee47f88462560f0370edb329554cd5869
Link:
https://www.unpac.me/results/9abd7812-b454-4a32-aa8f-73122919e204/
SH256 hash:
446128f1712da8064d0197376184315cb529ed26ed9122f7b171bb208e22c0c3
MD5 hash:
d80d1b6d9a6d5986fa47f6f8487030e1
SHA1 hash:
8f5773bf9eca43b079c1766b2e9f44cc90bd9215
Link:
https://www.unpac.me/results/9abd7812-b454-4a32-aa8f-73122919e204/
SH256 hash:
acae023377c834966e7daebf93622bec16ca21b991b0acaff11d4aed1e29f66c
MD5 hash:
2c10c77e4432344d3b091d65014c0ea7
SHA1 hash:
8824fd30034005f7eee99f1dc6656c452d5180de
Detections:
win_xworm_a0
Create hunting rule
win_xworm_w0
Create hunting rule
XWorm
Create hunting rule
win_xworm_bytestring
Create hunting rule
win_xworm_simple_strings
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/9abd7812-b454-4a32-aa8f-73122919e204/
SH256 hash:
2cdc94ae384a74e4ca0fc54cd39325e95806612b13c3e49d3406fb156af0b614
MD5 hash:
1bed244485076a0352f377b0114b107d
SHA1 hash:
602df02336e66eb3239c69ffbe9dff749da45011
Detections:
win_xworm_w0
Create hunting rule
win_xworm_a0
Create hunting rule
XWorm
Create hunting rule
win_xworm_bytestring
Create hunting rule
win_xworm_simple_strings
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/9abd7812-b454-4a32-aa8f-73122919e204/
SH256 hash:
c849a103ecbb1b4ce20d7cbc3e27d9e3d6704c6ba6ad59c447318cf7b2dcb56b
MD5 hash:
ccaacb07b8cb59925c57a3d2e3b7f380
SHA1 hash:
9e5193538d5818445ee6d6bcaa1c1b2719f81acc
Link:
https://www.unpac.me/results/9abd7812-b454-4a32-aa8f-73122919e204/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe 8d1523bbaf9cccd544215c1dec33d97aa6cd4273dc4bb6469823c1385626d233

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2745294/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/25080/

Comments