MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 972fe50205f384bf9fd55ca98763d4ced7447b919bb69e376c483b4721a505d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 12 File information Comments

SHA256 hash:	972fe50205f384bf9fd55ca98763d4ced7447b919bb69e376c483b4721a505d3
SHA3-384 hash:	661cda67c694259403fc829b255490b7e9e77f6db12ab95348945572e4a030535f8d1c1f364e48fd179b11c830c3b6c9
SHA1 hash:	a7a46c76ead7d7f0da617210f19548c8c654bc30
MD5 hash:	b402af9b6aa387c5d2181eda415a0202
humanhash:	montana-failed-yellow-artist
File name:	PO112345.scr
Download:	download sample
Signature	XWorm Create hunting rule
File size:	720'392 bytes
First seen:	2025-07-07 08:19:42 UTC
Last seen:	2025-07-14 07:24:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:NPjd7Ux3NcHBvP9vVakpPsH5Otl1NikVRBxIkR:NPJ72QBvP9bpow1NiKxf
Threatray	50 similar samples on MalwareBazaar
TLSH	T1CDE4DF1027645F52EA3A8BF64120D13213B95E9D656DE2566FC2BCCF3DBAF802890F17
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	adrian__luca
Tags:	exe xworm

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
213.209.150.147:6000	https://threatfox.abuse.ch/ioc/1554169/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/12634/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=686b8375c9eb9747376755f0

Tags:

virus spawn msil

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/972fe50205f384bf9fd55ca98763d4ced7447b919bb69e376c483b4721a505d3

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1f059882-3a4b-4a88-9262-9f91f1c1bcd0

Score:

90%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/972fe50205f384bf9fd55ca98763d4ced7447b919bb69e376c483b4721a505d3

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable PE (Portable Executable) SOS: 0.04 Win 32 Exe x86

Link:

https://app.malva.re/file/b402af9b6aa387c5d2181eda415a0202

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/972fe50205f384bf9fd55ca98763d4ced7447b919bb69e376c483b4721a505d3/

Threat name:

ByteCode-MSIL.Backdoor.FormBook

Status:

Malicious

First seen:

2025-07-04 07:47:39 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 38 (52.63%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=s4x6kaqf6ocl7h6vlsuyoy6uz3lui64rto3j4n3mja5uoinfaxjq._file

Verdict:

malicious

Label(s):

unc_loader_037

XWorm

4350dbe482fb5195748203ebc618d6b2f88218b02e4183e203dedebe7e0e94ef

XWorm

7a2a7f0806c0d8a61652d6e5533d4057bfef71c0b794e07772914be2296852de

XWorm

d16e631c7b57f0b20be7b526e713f29800ac13b68694e01f33136a4fae643f7e

XWorm

ee2c474d321d710e3e3d5808bde560a2bd3e94cef6d9b457149a2c3300972228

XWorm

error

XWorm

+ 40 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm discovery execution persistence rat trojan

Link:

https://tria.ge/reports/250707-j8p8tszxcv/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Detect Xworm Payload

Xworm

Xworm family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0ef00495-fd46-4647-bde6-fdac778483b6

Unpacked files

SH256 hash:

972fe50205f384bf9fd55ca98763d4ced7447b919bb69e376c483b4721a505d3

MD5 hash:

b402af9b6aa387c5d2181eda415a0202

SHA1 hash:

a7a46c76ead7d7f0da617210f19548c8c654bc30

Link:

https://www.unpac.me/results/ab2b8b62-d6a4-4dfe-b998-f5e834047982/

SH256 hash:

41b35c20e39525507287eceece23144ce5a6dc92a56de5b9dddede11099b1318

MD5 hash:

a8677094c72bbb5a3a66fb95dcb2c630

SHA1 hash:

74c141e4d4c6fb37268f2cbffa91db2d92fe492f

Link:

https://www.unpac.me/results/ab2b8b62-d6a4-4dfe-b998-f5e834047982/

SH256 hash:

36200781beb2d56c8705c152246b0fac20f7a2cb13d988eee7de6529b9f1a1f0

MD5 hash:

e5a27de9609950379c07b3ebdc8d9772

SHA1 hash:

7c2fd4dd8bb0b6a9e9d27d5650d344a3bd4e696a

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/ab2b8b62-d6a4-4dfe-b998-f5e834047982/

Parent samples :

368c3f4373be7b2de2adb08b623315e12d69d4d3f174c6a5d5b3e892a85fee51
9128341eadbe23a479073756b46a420ec61725b60d8b7d68f428e997e30fc85f
527faa491b052e081f3f21cc8a1499a895e69184b46fc039b382150f4ee7063e
252223c4796d1ff0184f549dd9cae4a0ab07c82958bb41f824f9b8aa92fa5496
d4d73e62678d24bb40d098fca92648ccf6c10622ec0925115efb21adfaa740ac
972fe50205f384bf9fd55ca98763d4ced7447b919bb69e376c483b4721a505d3

SH256 hash:

e7dc9dcf253d37ff0d26f7c0d7875541750f97616c639157add822a350d81b21

MD5 hash:

c8c8ffecdcfee163ceae65a6173b5982

SHA1 hash:

ddddc593900808b388dddfbf425ea594ffbc0522

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/ab2b8b62-d6a4-4dfe-b998-f5e834047982/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/972fe50205f3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/972fe50205f384bf9fd55ca98763d4ced7447b919bb69e376c483b4721a505d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	Windows_Trojan_XWorm_b7d6eaa8 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

exe 972fe50205f384bf9fd55ca98763d4ced7447b919bb69e376c483b4721a505d3

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/12634/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample