MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dcfd65d8a4441b4816883d50e44a9f3cd5692dc956f47b7ae69bfe5de8d6e5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 18

Intelligence 18 IOCs YARA 8 File information Comments

SHA256 hash:	9dcfd65d8a4441b4816883d50e44a9f3cd5692dc956f47b7ae69bfe5de8d6e5a
SHA3-384 hash:	c7a8009f2252c9ab59c98f5d4cbf2341942e278ad1763255b26b9c098ec19fd7e73afed0eb4a70844669a14395aa068f
SHA1 hash:	05e7f67f526ac1916b97fa4ee1960fa39e393568
MD5 hash:	a464639bbcc77bf2429eefa47d5f1242
humanhash:	twelve-pip-three-wyoming
File name:	SecuriteInfo.com.Trojan.PackedNET.3408.8320.9832
Download:	download sample
Signature	XWorm Create hunting rule
File size:	630'280 bytes
First seen:	2025-09-08 13:18:53 UTC
Last seen:	2025-09-08 14:29:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:pUtjcG+kIxweL6m/wQSvJ0VKA2ZRNilANF7GOANFf70fn7Gu77FBkR:pUt5+CNzQSvJ0VGZRNinF0TFc
Threatray	122 similar samples on MalwareBazaar
TLSH	T114D40258222EEB02D1A28FB20B72F2F01B70AF9AE421D247AFD67DCFB475B545545243
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe xworm

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9dcfd65d8a4441b4816883d50e44a9f3cd5692dc956f47b7ae69bfe5de8d6e5a.exe

Verdict:

Malicious activity

Analysis date:

2025-09-08 13:02:33 UTC

Tags:

github auto-sch-xml xworm

Link:

https://app.any.run/tasks/abffb27f-9ad8-4706-9bc8-0af9ca180c98

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/26284/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.3408.8320.9832.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68bed7f26e66ba602d792cd8

Tags:

keylog micro spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

DNS request

Connection attempt

Setting a global event handler for the keyboard

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

invalid-signature obfuscated packed packed packer_detected signed threat

Link:

https://www.filescan.io/uploads/68bed7fd9cc66fa4622c2621/reports/80bf501a-1d69-4ab9-9629-c2bbad25a453/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9dcfd65d8a4441b4816883d50e44a9f3cd5692dc956f47b7ae69bfe5de8d6e5a

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-08T03:58:00Z UTC

Last seen:

2025-09-08T03:58:00Z UTC

Hits:

~100

Detections:

PDM:Trojan.Win32.Generic Trojan.MSIL.Taskun.sb Trojan.MSIL.Crypt.sb Backdoor.MSIL.XWorm.c Backdoor.MSIL.XWorm.a HEUR:Trojan-Spy.MSIL.Noon.gen Backdoor.Agent.TCP.C&C Trojan.MSIL.Inject.sb HEUR:Trojan.MSIL.Taskun.sb Backdoor.MSIL.XWorm.b Trojan-PSW.Win32.Stealer.sb VHO:Backdoor.Win32.Agent.gen

Link:

https://opentip.kaspersky.com/9dcfd65d8a4441b4816883d50e44a9f3cd5692dc956f47b7ae69bfe5de8d6e5a/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/307e64ac-b849-4fdb-94d0-efbedbcebcf5

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9dcfd65d8a4441b4816883d50e44a9f3cd5692dc956f47b7ae69bfe5de8d6e5a

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.24 Win 32 Exe x86

Link:

https://app.malva.re/file/a464639bbcc77bf2429eefa47d5f1242

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9dcfd65d8a4441b4816883d50e44a9f3cd5692dc956f47b7ae69bfe5de8d6e5a/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/9dcfd65d8a4441b4816883d50e44a9f3cd5692dc956f47b7ae69bfe5de8d6e5a

Threat name:

Win32.Backdoor.FormBook

Status:

Malicious

First seen:

2025-09-08 13:02:33 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 37 (72.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=txh5mxmkira3jaliqpkq4rfj6pgvnew4svxupn5ong76lxunnzna._file

Verdict:

malicious

Label(s):

xworm

unc_loader_037

XWorm

6ef00fa27b22acfceb6239f2af7ca5ae8b8ed95949f596e126f856f881638b9f

XWorm

8b8af25247922724fef0e498df02508b93947658630743d685608d03dd0264aa

XWorm

9dcfd65d8a4441b4816883d50e44a9f3cd5692dc956f47b7ae69bfe5de8d6e5a

XWorm

b994e8cd9cfc2cd2151b70947c845e529bc13cc2a90b4f0633fbe1eea8d50783

XWorm

error

XWorm

f0a54d67d5073a53fbef42ce7bb9c3422cd4d02236c677a58a7b74d7d2bec5c3

XWorm

f14c6f6b30e61683e8535d35e774a8cb819a0bcf405d97a6514074d14861b170

XWorm

+ 112 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm discovery execution persistence rat trojan

Link:

https://tria.ge/reports/250908-qkz7fscl6v/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Detect Xworm Payload

Xworm

Xworm family

Malware Config

C2 Extraction:

sharjahaquarium.com:6000

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/806755a4-2324-4950-9c91-a3a011abc761

Unpacked files

SH256 hash:

9dcfd65d8a4441b4816883d50e44a9f3cd5692dc956f47b7ae69bfe5de8d6e5a

MD5 hash:

a464639bbcc77bf2429eefa47d5f1242

SHA1 hash:

05e7f67f526ac1916b97fa4ee1960fa39e393568

Link:

https://www.unpac.me/results/802ae789-42e9-4f17-b0c5-ac8615ee38ae/

SH256 hash:

739e647c13339bb941808aafe983ee4d592625de107fbb5a63ecc7f423caf2c7

MD5 hash:

be553e69fe0f891e808d0b7dd45f8744

SHA1 hash:

629f994e3e8c7c419ccfb558ccea18d6d4d6ab03

Detections:

win_xworm_a0

win_xworm_w0

PureCrypter_Stage1

XWorm

win_xworm_bytestring

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/802ae789-42e9-4f17-b0c5-ac8615ee38ae/

Parent samples :

9dcfd65d8a4441b4816883d50e44a9f3cd5692dc956f47b7ae69bfe5de8d6e5a
8ca60d34baa3aaee492a9170904b85ec577fea3d7a4b5fd19f837088b961fb39

SH256 hash:

ef2a554021e671eed89dcbf3fe966b9483f80f062cc32842dec8b1d6173b3ab1

MD5 hash:

7f64fcd855c2d2e871551f8d7592a0b4

SHA1 hash:

a262065a8be83f789f31122ce808448d38bc9053

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/802ae789-42e9-4f17-b0c5-ac8615ee38ae/

SH256 hash:

a07218767cb37a2eb228ddf96d25724848f368c446abe6ad0813387dfc603f98

MD5 hash:

af22bb92639cb98b8f09382c32c478ac

SHA1 hash:

d97ed60de226af9876769ac2e94185cf1b25d676

Link:

https://www.unpac.me/results/802ae789-42e9-4f17-b0c5-ac8615ee38ae/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9dcfd65d8a44/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9dcfd65d8a4441b4816883d50e44a9f3cd5692dc956f47b7ae69bfe5de8d6e5a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)