MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90e5d4c94308393080431d375a33aeb1b8219c5448d64afb787bb30ee01dd3c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90e5d4c94308393080431d375a33aeb1b8219c5448d64afb787bb30ee01dd3c6
SHA3-384 hash: 08893d3f712b01e101a336d480e8aaf44371f6c1123332a0e53c8c7cca5980a57ab68e9ab8198ed3619af60a0872aa71
SHA1 hash: a1604b2deeca5d87e93d60a04db396d882bd9051
MD5 hash: 587a367b2f93baf9c3590198daf03de6
humanhash: colorado-november-low-green
File name:output.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:3'881'472 bytes
First seen:2025-04-24 12:21:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 98304:5zeNmnscNRAxSYTVtW7dt09eAN1MNvkS8Fl:5zSmscNexSYTVtYd0/MZk
Threatray 1'094 similar samples on MalwareBazaar
TLSH T10106EF3D76B6B290CD03263DAC73DA7106F94AB5409F24717CAABE99DD7243B90432D8
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter BastianHein
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
500
Origin country :
CL CL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
output.exe
Verdict:
Malicious activity
Analysis date:
2025-04-24 12:25:37 UTC
Tags:
pastebin xworm evasion remote auto-reg auto-startup
Link:
https://app.any.run/tasks/d2dfb0f9-4226-4f1a-aa9b-6df7bd6e72df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/3852/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680a2dc0a37ff28e12992b72
Tags:
asyncrat dropper micro remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a window
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
entropy obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/680a2cf6833df795debc5bae/reports/3386d18e-8cfa-44e4-8f43-62379966fa81/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/90e5d4c94308393080431d375a33aeb1b8219c5448d64afb787bb30ee01dd3c6
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/89f2dc78-5042-49f7-8b6b-dc95d84982d8
Result
Threat name:
AsyncRAT, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1673035
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1673035 Sample: output.exe Startdate: 24/04/2025 Architecture: WINDOWS Score: 100 55 pastebin.com 2->55 57 libetolo-34967.portmap.io 2->57 59 ip-api.com 2->59 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus / Scanner detection for submitted sample 2->73 77 13 other signatures 2->77 10 output.exe 3 2->10         started        13 svchost.exe 2->13         started        16 XClient.exe 2->16         started        18 3 other processes 2->18 signatures3 75 Connects to a pastebin service (likely for C&C) 55->75 process4 dnsIp5 51 C:\Users\user\AppData\Roaming\Output.exe, PE32 10->51 dropped 53 C:\Users\user\AppData\...\BootstrapperNew.exe, PE32+ 10->53 dropped 20 Output.exe 3 10->20         started        24 BootstrapperNew.exe 17 10->24         started        67 127.0.0.1 unknown unknown 13->67 file6 process7 file8 49 C:\Users\user\AppData\Roaming\XClient.exe, PE32 20->49 dropped 79 Antivirus detection for dropped file 20->79 81 Multi AV Scanner detection for dropped file 20->81 83 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->83 26 XClient.exe 15 5 20->26         started        signatures9 process10 dnsIp11 61 libetolo-34967.portmap.io 193.161.193.99, 34967, 49695, 49696 BITREE-ASRU Russian Federation 26->61 63 ip-api.com 208.95.112.1, 49681, 80 TUT-ASUS United States 26->63 65 pastebin.com 172.67.25.94, 443, 49693 CLOUDFLARENETUS United States 26->65 85 Antivirus detection for dropped file 26->85 87 Multi AV Scanner detection for dropped file 26->87 89 Protects its processes via BreakOnTermination flag 26->89 91 5 other signatures 26->91 30 powershell.exe 23 26->30         started        33 powershell.exe 26->33         started        35 powershell.exe 26->35         started        37 2 other processes 26->37 signatures12 process13 signatures14 93 Loading BitLocker PowerShell Module 30->93 39 conhost.exe 30->39         started        41 conhost.exe 33->41         started        43 conhost.exe 35->43         started        45 conhost.exe 37->45         started        47 conhost.exe 37->47         started        process15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/90e5d4c94308393080431d375a33aeb1b8219c5448d64afb787bb30ee01dd3c6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90e5d4c94308393080431d375a33aeb1b8219c5448d64afb787bb30ee01dd3c6/
Threat name:
ByteCode-MSIL.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2025-04-24 12:22:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sds5jskdba4tbacddu3vum5owg4cdhcujdlev63ypozq5ya52pda._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
1ca4a73b1076d2c6c0b97b3544919281b091e260f4970f62ae7f1cbcb9cc5e74
XWorm
2a70435cad922008fa6ac06cbb8cf6bca618c886af0884e2ad1a538ac77be716
XWorm
2cc420fbc43a2bedcf6a1bba99bda592a7a8c1735762f252cf7835c47143ef20
XWorm
4ece977efec20274f3da6f621bf59a1ced851eb0d571412d86d9e91af60c31aa
XWorm
90e5d4c94308393080431d375a33aeb1b8219c5448d64afb787bb30ee01dd3c6
XWorm
b83dd4e9b0456923c9d10fe76ee24ebe8d1be3cfe6033964e948980a10650b76
XWorm
c029d185a694aa636fc5a085a2d1d77fe084a40d8c162740a1ef4868c9ce91eb
XWorm
error
XWorm
+ 1'084 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm rat trojan
Link:
https://tria.ge/reports/250424-pjxt9stry7/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Detect Xworm Payload
Xworm
Xworm family
Verdict:
Malicious
Tags:
external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/8e1bc2bc-28dd-4378-a1cc-bffa59704d45
Unpacked files
SH256 hash:
90e5d4c94308393080431d375a33aeb1b8219c5448d64afb787bb30ee01dd3c6
MD5 hash:
587a367b2f93baf9c3590198daf03de6
SHA1 hash:
a1604b2deeca5d87e93d60a04db396d882bd9051
Link:
https://www.unpac.me/results/e94f98f6-db69-4789-8086-c7e6353c868c/
SH256 hash:
880124e0795ee094fc5b42c71fcfbfb4dbbe4f9e47ba6dcb0c76f9a4e77562a6
MD5 hash:
c5eaeac5dd84e8406e6333702e83f49d
SHA1 hash:
94beef6dd11baa7d3c0b4413140c4e0f3dcb1c63
Detections:
win_xworm_w0
Create hunting rule
XWorm
Create hunting rule
win_xworm_bytestring
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/e94f98f6-db69-4789-8086-c7e6353c868c/
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/90e5d4c94308/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90e5d4c94308393080431d375a33aeb1b8219c5448d64afb787bb30ee01dd3c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/3852/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments