MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9128341eadbe23a479073756b46a420ec61725b60d8b7d68f428e997e30fc85f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9128341eadbe23a479073756b46a420ec61725b60d8b7d68f428e997e30fc85f
SHA3-384 hash: 1f135c53e869fcedecc60c78ecbf5fc0b558a417883cdc32332b96f55e20100620e124f85fa1df3e75431fc691453a85
SHA1 hash: c55c3c80b8409ee5f6b45d4ba3365111c2bc5b17
MD5 hash: 68c3115909de6af13b312b691122d19a
humanhash: april-mississippi-speaker-tango
File name:FG987654560009800.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:716'288 bytes
First seen:2025-07-04 13:04:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:cld7Ux3dgk2L74uD2HdHl+bb5xoXYx+rXf6qn0DHX6:cn72de7WHVl+nPIrXfv2
TLSH T13FE4DF2026604F17EA3A97F24111D13203F85EAC686EE6456FC2BDDF39B9F902990F57
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter lowmal3
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
21
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/12319/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6867d159900df8e7f866a683
Tags:
extens micro spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the mass storage device
Connection attempt to an infection source
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap obfuscated obfuscated packed packed packed reconnaissance roboski stego vbnet
Link:
https://www.filescan.io/uploads/6867d1591d10e24bd44308e5/reports/362b489e-28ae-40b2-b578-ef1dff20caeb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9128341eadbe23a479073756b46a420ec61725b60d8b7d68f428e997e30fc85f
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0f1d6fb0-5529-407e-9025-14a6e3337c02
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1728832
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1728832 Sample: FG987654560009800.exe Startdate: 04/07/2025 Architecture: WINDOWS Score: 100 59 Suricata IDS alerts for network traffic 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 10 other signatures 2->65 7 FG987654560009800.exe 7 2->7         started        11 zNllktIKwpcXH.exe 5 2->11         started        13 svchost.exe 2->13         started        process3 dnsIp4 45 C:\Users\user\AppData\...\zNllktIKwpcXH.exe, PE32 7->45 dropped 47 C:\...\zNllktIKwpcXH.exe:Zone.Identifier, ASCII 7->47 dropped 49 C:\Users\user\AppData\Local\...\tmp7A44.tmp, XML 7->49 dropped 51 C:\Users\user\...\FG987654560009800.exe.log, ASCII 7->51 dropped 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->67 69 Uses schtasks.exe or at.exe to add and modify task schedules 7->69 71 Adds a directory exclusion to Windows Defender 7->71 16 powershell.exe 23 7->16         started        19 powershell.exe 23 7->19         started        21 FG987654560009800.exe 2 3 7->21         started        31 2 other processes 7->31 73 Multi AV Scanner detection for dropped file 11->73 75 Injects a PE file into a foreign processes 11->75 25 schtasks.exe 11->25         started        27 zNllktIKwpcXH.exe 11->27         started        29 zNllktIKwpcXH.exe 11->29         started        55 127.0.0.1 unknown unknown 13->55 file5 signatures6 process7 dnsIp8 57 Loading BitLocker PowerShell Module 16->57 33 conhost.exe 16->33         started        35 WmiPrvSE.exe 16->35         started        37 conhost.exe 19->37         started        53 198.12.126.169, 49681, 8780 AS-COLOCROSSINGUS United States 21->53 43 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 21->43 dropped 39 conhost.exe 25->39         started        41 conhost.exe 31->41         started        file9 signatures10 process11
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9128341eadbe23a479073756b46a420ec61725b60d8b7d68f428e997e30fc85f
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/68c3115909de6af13b312b691122d19a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9128341eadbe23a479073756b46a420ec61725b60d8b7d68f428e997e30fc85f/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2025-07-04 06:26:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=seudihvnxyr2i6ihg5lli2scb3dbojnwbwfx22hufduzpyypzbpq._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat trojan
Link:
https://tria.ge/reports/250704-qa36cstnx3/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0ec0e87d-688a-4107-ab2e-13ce9439200a
Unpacked files
SH256 hash:
9128341eadbe23a479073756b46a420ec61725b60d8b7d68f428e997e30fc85f
MD5 hash:
68c3115909de6af13b312b691122d19a
SHA1 hash:
c55c3c80b8409ee5f6b45d4ba3365111c2bc5b17
Link:
https://www.unpac.me/results/e6f6bca6-1296-4912-bf99-f7be4e79844a/
SH256 hash:
8eb44a3a2b6fb16f7a1b8e8965b2a00588d40f04fb6e757e4a15318acb461905
MD5 hash:
67a35f1492a928df30ae721d6ce4e2c8
SHA1 hash:
3620e32cd7f625704d163ea28835ca1c1ffd4824
Link:
https://www.unpac.me/results/e6f6bca6-1296-4912-bf99-f7be4e79844a/
SH256 hash:
468a2c04ae310bbb0d521c69391adc3a15ae91e6053ff6c95eb2079000857768
MD5 hash:
9301ddffddf9a1f47c3700e02e8ede8d
SHA1 hash:
6874eb7dd9797ecd01911c92fee692e8ac9a53d1
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e6f6bca6-1296-4912-bf99-f7be4e79844a/
SH256 hash:
36200781beb2d56c8705c152246b0fac20f7a2cb13d988eee7de6529b9f1a1f0
MD5 hash:
e5a27de9609950379c07b3ebdc8d9772
SHA1 hash:
7c2fd4dd8bb0b6a9e9d27d5650d344a3bd4e696a
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/e6f6bca6-1296-4912-bf99-f7be4e79844a/
Parent samples :
368c3f4373be7b2de2adb08b623315e12d69d4d3f174c6a5d5b3e892a85fee51
9128341eadbe23a479073756b46a420ec61725b60d8b7d68f428e997e30fc85f
527faa491b052e081f3f21cc8a1499a895e69184b46fc039b382150f4ee7063e
252223c4796d1ff0184f549dd9cae4a0ab07c82958bb41f824f9b8aa92fa5496
d4d73e62678d24bb40d098fca92648ccf6c10622ec0925115efb21adfaa740ac
972fe50205f384bf9fd55ca98763d4ced7447b919bb69e376c483b4721a505d3
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9128341eadbe23a479073756b46a420ec61725b60d8b7d68f428e997e30fc85f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Executable exe 9128341eadbe23a479073756b46a420ec61725b60d8b7d68f428e997e30fc85f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12319/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments