MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a97ef498ea1fcbe247efd79e293fcadb8b523c334762dcec53d8fb178e7c807. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a97ef498ea1fcbe247efd79e293fcadb8b523c334762dcec53d8fb178e7c807
SHA3-384 hash: 5a0c6c2fb2de68f65861cc01b5c86104688855af97a664fcbb2b4130ef90ef023c4a49cffcf381b805a1bb84cf3f9a8f
SHA1 hash: 24e4c3464f0c4a3ebf46bd0e8d0a39bd2e9f0a55
MD5 hash: 05a3652e22ffa7e85b65473182acb707
humanhash: single-zebra-four-music
File name:SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577
Download: download sample
Signature XWorm
Create hunting rule
File size:102'400 bytes
First seen:2025-03-26 17:26:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'075 x AgentTesla, 20'033 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 3072:Ku8cDKY2SgVmoXU/F+Vy54GCfcljji03L:K/DVSqE/FYgs6
TLSH T14DA3026173804774C02D69396C96A4DBEE2BE74198B2C95EB30DD29DDBB3ECC4F81624
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
469
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577
Verdict:
Malicious activity
Analysis date:
2025-03-26 17:29:19 UTC
Tags:
github
Link:
https://app.any.run/tasks/28dbaf31-10b7-4fb2-bb35-cf8acd097695

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e438c0cb6d38a89f3e70b7
Tags:
asyncrat autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Launching a process
Creating a file
Creating a window
Creating a process with a hidden window
Connection attempt
Searching for synchronization primitives
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Moving a file to the %temp% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/67e438bdf274bf2d8e23bb25/reports/1debd9fc-851a-493b-8601-aa345ae51313/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/9a97ef498ea1fcbe247efd79e293fcadb8b523c334762dcec53d8fb178e7c807
Malware family:
ModernLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1eb58343-b35b-4c25-a814-8dc90a0f85f5
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1649387
Signature
Antivirus / Scanner detection for submitted sample
Benign windows process drops PE files
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Process Parents
Tries to download files via bitsadmin
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1649387 Sample: SecuriteInfo.com.Trojan.Mul... Startdate: 26/03/2025 Architecture: WINDOWS Score: 80 36 x1.i.lencr.org 2->36 38 raw.githubusercontent.com 2->38 40 4 other IPs or domains 2->40 52 Antivirus / Scanner detection for submitted sample 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Sigma detected: Suspicious MSHTA Child Process 2->56 58 2 other signatures 2->58 9 SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe 5 4 2->9         started        12 svchost.exe 1 2 2->12         started        signatures3 process4 dnsIp5 30 C:\Users\user\...\successfulpayment.hta, HTML 9->30 dropped 32 SecuriteInfo.com.T...30868.14577.exe.log, CSV 9->32 dropped 16 mshta.exe 1 9->16         started        19 Acrobat.exe 64 9->19         started        44 github.com 140.82.114.3, 443, 49696, 49704 GITHUBUS United States 12->44 46 raw.githubusercontent.com 185.199.111.133, 443, 49699, 49706 FASTLYUS Netherlands 12->46 48 127.0.0.1 unknown unknown 12->48 34 C:\Users\user\AppData\Local\...\BIT84E5.tmp, PE32 12->34 dropped 60 Benign windows process drops PE files 12->60 file6 signatures7 process8 signatures9 50 Tries to download files via bitsadmin 16->50 21 bitsadmin.exe 1 16->21         started        23 AcroCEF.exe 107 19->23         started        process10 dnsIp11 26 conhost.exe 21->26         started        42 e8652.dscx.akamaiedge.net 23.216.136.238, 49700, 80 CCCH-3US United States 23->42 28 AcroCEF.exe 4 23->28         started        process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9a97ef498ea1fcbe247efd79e293fcadb8b523c334762dcec53d8fb178e7c807
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a97ef498ea1fcbe247efd79e293fcadb8b523c334762dcec53d8fb178e7c807/
Threat name:
ByteCode-MSIL.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2025-03-26 17:26:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tkl66smouh6l4jd67v46fe74vw4lki6dgr3c3twfhwh3c6hhzadq._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery dropper execution persistence rat trojan
Link:
https://tria.ge/reports/250326-vzzxfs1qv6/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Download via BitsAdmin
Downloads MZ/PE file
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
142.147.96.74:7000
buinhatduy01.ddns.net:7000
buinhatduy.duckdns.org:7000
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/297fe25d-271c-4838-b373-2e8c5d2b2fd5
Unpacked files
SH256 hash:
9a97ef498ea1fcbe247efd79e293fcadb8b523c334762dcec53d8fb178e7c807
MD5 hash:
05a3652e22ffa7e85b65473182acb707
SHA1 hash:
24e4c3464f0c4a3ebf46bd0e8d0a39bd2e9f0a55
Link:
https://www.unpac.me/results/b6e5c541-b9b9-4c15-a513-7ebfb9b37d11/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9a97ef498ea1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.88
Link:
https://yomi.yoroi.company/submissions/9a97ef498ea1fcbe247efd79e293fcadb8b523c334762dcec53d8fb178e7c807

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe 9a97ef498ea1fcbe247efd79e293fcadb8b523c334762dcec53d8fb178e7c807

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3491334/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3491333/
  
URLhaus
https://urlhaus.abuse.ch/url/3491328/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments