MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97a56140a1a02fca690af510095e530e404da6a716f835758d0d113e3aada668. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97a56140a1a02fca690af510095e530e404da6a716f835758d0d113e3aada668
SHA3-384 hash: 7e86b3043509018d2195402c5862cdde363500a650d33a866f465d95fa48f2c3a73ca25aec04a1042f0e0b4586b208b9
SHA1 hash: 0bc94f9af6482d43ef7a579986827a1d5dd54236
MD5 hash: 5b7967ed5fea40e065293d3daa186700
humanhash: winter-mirror-ohio-winner
File name:AcerusV11.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:1'191'424 bytes
First seen:2025-02-12 16:30:50 UTC
Last seen:2025-02-12 16:31:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:IrXIysjO+jXbFPnkhNILdKazP8HffK8salR4KtEWGMrTsM:gIXOubFPkcAKU/Psm/BI
TLSH T1444533C4F584D0EECE3C46BA9C3415A402B6AC7DF591CA6D208DF68AAE3254B1D417FB
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 10c0f0b068cdc420 (1 x XWorm)
Reporter xVantl
Tags:exe RAT trojan xworm


Avatar
xVantl
Its a fake Cheating software that is distrubuted from https://acerus.vip and the download link right now is leading to https://gofile.to/na7m/acerusv1.rar

Its trying some things to detect if the VM etc is from any.run or in general a hosting IP, Can be bypassed by editing the anyrun method to always return false so it can be run.

Intelligence

File Origin
# of uploads :
2
# of downloads :
522
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AcerusV11.exe
Verdict:
Malicious activity
Analysis date:
2025-02-12 16:24:50 UTC
Tags:
evasion purecrypter purelogs remote xworm stealer netreactor ims-api generic crypto-regex
Link:
https://app.any.run/tasks/8f2b42f2-2d0c-49db-9d39-ee9df149f049

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Packy-10033570-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67acccd64f5583c4c4d86d15
Tags:
clipbanker asyncrat autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Launching a process
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a window
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm lolbin obfuscated obfuscated packed packed packer_detected runonce vbnet wscript
Link:
https://www.filescan.io/uploads/67acccdcc24a487ec9d0c120/reports/6b26faeb-8401-4777-9c0a-a4237841127e/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/97a56140a1a02fca690af510095e530e404da6a716f835758d0d113e3aada668
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5183d35-99ab-4d50-aa24-9bffdcd0e65e
Result
Threat name:
AsyncRAT, MicroClip, Strela Stealer, XWo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1613339
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates multiple autostart registry keys
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected MicroClip
Yara detected Strela Stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1613339 Sample: AcerusV11.exe Startdate: 12/02/2025 Architecture: WINDOWS Score: 100 55 ip-api.com 2->55 57 158.157.4.0.in-addr.arpa 2->57 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus / Scanner detection for submitted sample 2->67 69 16 other signatures 2->69 9 AcerusV11.exe 3 5 2->9         started        13 Sys.exe 2->13         started        15 Sys.exe 2->15         started        17 6 other processes 2->17 signatures3 process4 file5 45 C:\Users\user\AppData\Roaming\audiodg.exe, PE32 9->45 dropped 47 C:\Users\user\AppData\Roaming\WinCs.exe, PE32 9->47 dropped 49 C:\Users\user\AppData\Roaming\Sys.exe, PE32 9->49 dropped 51 C:\Users\user\AppData\...\AcerusV11.exe.log, CSV 9->51 dropped 89 Creates multiple autostart registry keys 9->89 91 Bypasses PowerShell execution policy 9->91 93 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->93 107 2 other signatures 9->107 19 Sys.exe 9->19         started        23 audiodg.exe 9->23         started        25 WinCs.exe 1 4 9->25         started        28 3 other processes 9->28 95 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->95 97 Tries to steal Mail credentials (via file / registry access) 13->97 99 Tries to harvest and steal Bitcoin Wallet information 13->99 101 Tries to harvest and steal browser information (history, passwords, etc) 15->101 103 Antivirus detection for dropped file 17->103 105 Multi AV Scanner detection for dropped file 17->105 signatures6 process7 dnsIp8 59 176.65.134.31, 49710, 49711, 49802 DIOGELO-ASGB Germany 19->59 71 Antivirus detection for dropped file 19->71 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->73 75 Tries to steal Mail credentials (via file / registry access) 19->75 87 2 other signatures 19->87 61 ip-api.com 208.95.112.1, 49708, 80 TUT-ASUS United States 23->61 77 Adds a directory exclusion to Windows Defender 23->77 30 powershell.exe 23->30         started        33 powershell.exe 23->33         started        53 C:\Users\user\AppData\Roaming\...\dgcd.exe, PE32 25->53 dropped 79 Multi AV Scanner detection for dropped file 25->79 81 Creates multiple autostart registry keys 25->81 83 Found many strings related to Crypto-Wallets (likely being stolen) 28->83 85 Loading BitLocker PowerShell Module 28->85 35 conhost.exe 28->35         started        37 conhost.exe 28->37         started        39 conhost.exe 28->39         started        file9 signatures10 process11 signatures12 109 Loading BitLocker PowerShell Module 30->109 41 conhost.exe 30->41         started        43 conhost.exe 33->43         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/97a56140a1a02fca690af510095e530e404da6a716f835758d0d113e3aada668
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97a56140a1a02fca690af510095e530e404da6a716f835758d0d113e3aada668/
Threat name:
ByteCode-MSIL.Trojan.XWormRAT
Create hunting rule
Status:
Malicious
First seen:
2025-02-12 16:24:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6swcqfbuax4u2ik6uiasxstbzae3jvhc34dk5mnbuit4ovnuzua._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
dotnet_loader_002
Create hunting rule
stormkitty
Create hunting rule
Similar samples:
error
XWorm
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm collection discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250212-t1f1aszkbx/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
176.65.134.31:7000
Verdict:
Malicious
Tags:
Win.Packed.Packy-10033570-0 external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/30bedc5e-3f80-4d42-97b8-64036f9555fa
Unpacked files
SH256 hash:
97a56140a1a02fca690af510095e530e404da6a716f835758d0d113e3aada668
MD5 hash:
5b7967ed5fea40e065293d3daa186700
SHA1 hash:
0bc94f9af6482d43ef7a579986827a1d5dd54236
Link:
https://www.unpac.me/results/c6ccf0ce-45ff-45a7-baa9-2774ab556fb4/
SH256 hash:
7a9ae9b93612e2dd022ccff7cbc0e53ebfb2141d60083e62b92a807a0d18f201
MD5 hash:
acfbf0c8dd838904b9be1dfedc93e7b8
SHA1 hash:
6a467e6de71ee5b2240aeccffc913dea76afc3a5
Link:
https://www.unpac.me/results/c6ccf0ce-45ff-45a7-baa9-2774ab556fb4/
SH256 hash:
efd48e6ff807b6980b5ded722a50f333f2dbbecb3d6e5bd75874f6dd828fded8
MD5 hash:
4e825f960cacc1f81701fccd6caada69
SHA1 hash:
9cafa465e7d8e19a7e568ec1bf99857b382aff37
Detections:
win_xworm_w0
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/c6ccf0ce-45ff-45a7-baa9-2774ab556fb4/
SH256 hash:
ed417ee79c362421ebae07c942e2029b95dd965e0a0d3ed08aaf72e952375ca2
MD5 hash:
a862c31c0fae437f97e9ed3ddfd0aa5d
SHA1 hash:
1544c9091c9085ab88ba8bb87fd260017b671cb5
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c6ccf0ce-45ff-45a7-baa9-2774ab556fb4/
SH256 hash:
e087665242269d8cdad814b5f9d8ccabad265fc6cedf4b000b01fb2b866b03ac
MD5 hash:
1ba3ed12c6df79e549c104aa182d13ca
SHA1 hash:
3680c44a7ada2ee7f1320828c4a3bc19fbd108fb
Link:
https://www.unpac.me/results/c6ccf0ce-45ff-45a7-baa9-2774ab556fb4/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/c6ccf0ce-45ff-45a7-baa9-2774ab556fb4/
SH256 hash:
f61762305b51edafb9e899e0cf91099fcafe60de23871741f2ac8d30bb4530a0
MD5 hash:
09c76ed6a1815252b7df4f24b8d512e7
SHA1 hash:
545624be670ca12c1c69832d72265e0c40515471
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c6ccf0ce-45ff-45a7-baa9-2774ab556fb4/
SH256 hash:
39c50dd35227e36f774890e0d20c0a08dfacff50b1627a99b61e48479858381e
MD5 hash:
de6faa354fd7ae43b3aeb519004c41ba
SHA1 hash:
2bb5b05e582086858c9b23531da3162d573b1d58
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c6ccf0ce-45ff-45a7-baa9-2774ab556fb4/
SH256 hash:
98c7b433b29d82a61b496f037b9428e14c7a3ebcc6d71ddc68f150c7b4aac59f
MD5 hash:
9688a94bbff49aa9fccfd2dcd4f0d325
SHA1 hash:
8305b9cde1307b385287eea33440995c6815bf64
Link:
https://www.unpac.me/results/c6ccf0ce-45ff-45a7-baa9-2774ab556fb4/
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/97a56140a1a0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97a56140a1a02fca690af510095e530e404da6a716f835758d0d113e3aada668

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe 97a56140a1a02fca690af510095e530e404da6a716f835758d0d113e3aada668

(this sample)

  
Link
https://tria.ge/250212-tsfdssypdl/behavioral1
  
Dropping
Xworm
  
Dropping
purelogs
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments