MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 944331142490f71d89b1ec3e0d4cb940b71e9a6f5368fd85454875fec0699b86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 4 File information Comments

SHA256 hash:	944331142490f71d89b1ec3e0d4cb940b71e9a6f5368fd85454875fec0699b86
SHA3-384 hash:	0f4cf092a94a41cd9e3350df65f0f5fc3b213bf48b169795dd5aef7d10728c08db1b8466814b57311ccbd0b7848e3ae1
SHA1 hash:	e3c831d5b41f2cbe68a7051c30202c1bcdb181d0
MD5 hash:	913f7071140ea86535f50bf968ac412f
humanhash:	paris-gee-carbon-delta
File name:	30% Proforma Invoice, Revised Invoice & Unpai.exe
Download:	download sample
Signature	XWorm Create hunting rule
File size:	481'792 bytes
First seen:	2025-08-12 14:40:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:4rscIDrwmhG0l7c/cWIUmsnUmvDjCZmC7b6yz:44PNZlw07in12ZmC7
TLSH	T119A4018111BACD12D5B60FB20872E27517B9AE9E7022D74B5FD4BDCFB835B90094A393
TrID	56.5% (.EXE) Win64 Executable (generic) (10522/11/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	abuse_ch
Tags:	exe xworm

abuse_ch

XWorm C2:
45.93.8.18:5873

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.93.8.18:5873	https://threatfox.abuse.ch/ioc/1567643/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a6c3cfc3-b895-4676-a4bf-34991bb66a5b

Verdict:

Malicious activity

Analysis date:

2025-08-12 22:01:27 UTC

Tags:

netreactor remote xworm

Link:

https://app.any.run/tasks/a6c3cfc3-b895-4676-a4bf-34991bb66a5b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/20761/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=689b5619fca70bd90e8f179d

Tags:

shell virus spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Connection attempt

Using the Windows Management Instrumentation requests

Setting a global event handler for the keyboard

Adding an exclusion to Microsoft Defender

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/689b6c7c397fd3ce6fa65fb0/reports/eff84a93-205f-4250-aedd-b5efc847dff2/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/944331142490f71d89b1ec3e0d4cb940b71e9a6f5368fd85454875fec0699b86

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/081ca8d1-ccac-44bd-9273-c297e343c1ee

Result

Threat name:

XWorm

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1755410

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample has a suspicious name (potential lure to open the executable)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suricata IDS alerts for network traffic

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/944331142490f71d89b1ec3e0d4cb940b71e9a6f5368fd85454875fec0699b86

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/944331142490f71d89b1ec3e0d4cb940b71e9a6f5368fd85454875fec0699b86/

Threat name:

ByteCode-MSIL.Backdoor.Remcos

Status:

Malicious

First seen:

2025-08-12 14:48:30 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=srbtcfbesd3r3cnr5q7a2tfzic3r5gtpknup3bkfjb275qdjtoda._file

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm execution rat trojan

Link:

https://tria.ge/reports/250812-tyvexaer3w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Detect Xworm Payload

Xworm

Xworm family

Malware Config

C2 Extraction:

45.93.8.18:5873

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/62e81a55-cedb-4c47-ad37-e8a57ed470c5

Unpacked files

SH256 hash:

944331142490f71d89b1ec3e0d4cb940b71e9a6f5368fd85454875fec0699b86

MD5 hash:

913f7071140ea86535f50bf968ac412f

SHA1 hash:

e3c831d5b41f2cbe68a7051c30202c1bcdb181d0

Link:

https://www.unpac.me/results/ae408add-15ae-41a3-b7e1-ee4752b07a31/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/944331142490/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.49

Link:

https://yomi.yoroi.company/submissions/944331142490f71d89b1ec3e0d4cb940b71e9a6f5368fd85454875fec0699b86

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/20761/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample