MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a03cee4520d0983d7bcc4717dc6143384c2d7d2ca3ef1a587f11fbb0fe90792b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA 31 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a03cee4520d0983d7bcc4717dc6143384c2d7d2ca3ef1a587f11fbb0fe90792b
SHA3-384 hash: ae28562eb3a5b85ff551d95e80b93531f6a8f87e390387f7f1066b092cbfa6ed56f5504a193c3c01cc01810e06ebb44a
SHA1 hash: 8de90d7bee3266f664539ced2ca5939dddeba66c
MD5 hash: aada61eca61988a0b7d2d76803bf12ab
humanhash: illinois-carolina-emma-bluebird
File name:a03cee4520d0983d7bcc4717dc6143384c2d7d2ca3ef1a587f11fbb0fe90792b
Download: download sample
Signature XWorm
Create hunting rule
File size:63'541'072 bytes
First seen:2025-02-13 10:03:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 66b10d8b5718b0fd6fb4865843d44280 (9 x FixStealer, 4 x AsyncRAT, 3 x NodeLoader)
ssdeep 393216:H76L6otUitqtH7wHtXq2pt2jbOCacCFIK0fpP9HF4VW8yf/nVQx4urYsANulL7Nm:H0LoCOn+2/s4urYDNulLBiuK
TLSH T196D7CE0372E60095E8B7D2388AA75503D773B8635731DACF326D06152FBBAD49A7B720
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
File icon (PE):PE icon
dhash icon 0068e8b8ecf23240 (1 x XWorm)
Reporter JAMESWT_WT
Tags:exe favor-ydns-eu xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a03cee4520d0983d7bcc4717dc6143384c2d7d2ca3ef1a587f11fbb0fe90792b.exe
Verdict:
Malicious activity
Analysis date:
2025-02-13 10:10:34 UTC
Tags:
remote xworm nodejs
Link:
https://app.any.run/tasks/fe7935fc-54e1-4e47-9b45-631845740841

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67adc376a0fd713c335ab0c2
Tags:
virus shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Running batch commands
Launching a process
Creating a window
DNS request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm crypto evasive expand fingerprint lolbin microsoft_visual_cc obfuscated overlay packed pkg
Link:
https://www.filescan.io/uploads/67adc3a1633d73336287ebbf/reports/e0d5df82-5adb-4d85-a066-dfa07586c8a8/overview
Verdict:
Malicious
Labled as:
Trojan_Win32_Sonbokli_A_cl
Link:
https://www.hybrid-analysis.com/sample/a03cee4520d0983d7bcc4717dc6143384c2d7d2ca3ef1a587f11fbb0fe90792b
Result
Verdict:
UNKNOWN
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1614140
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1614140 Sample: xGEkrOCw0N.exe Startdate: 13/02/2025 Architecture: WINDOWS Score: 100 94 favor.ydns.eu 2->94 100 Suricata IDS alerts for network traffic 2->100 102 Found malware configuration 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 8 other signatures 2->106 10 xGEkrOCw0N.exe 36 2->10         started        13 cmd.exe 1 2->13         started        16 cmd.exe 2->16         started        18 cmd.exe 1 2->18         started        signatures3 process4 file5 86 C:\Users\user\AppData\Local\...\favor2.exe, PE32+ 10->86 dropped 88 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 10->88 dropped 90 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 10->90 dropped 92 30 other files (none is malicious) 10->92 dropped 20 favor2.exe 37 10->20         started        24 conhost.exe 10->24         started        122 Drops executables to the windows directory (C:\Windows) and starts them 13->122 26 favor2.exe 35 13->26         started        28 conhost.exe 13->28         started        30 favor2.exe 16->30         started        32 conhost.exe 16->32         started        34 favor2.exe 18->34         started        36 conhost.exe 18->36         started        signatures6 process7 file8 70 C:\Windows\Microsoft.NET\...\favor2.exe, PE32+ 20->70 dropped 72 C:\Windows\...\vcruntime140_1.dll, PE32+ 20->72 dropped 74 C:\Windows\Microsoft.NET\...\vcruntime140.dll, PE32+ 20->74 dropped 82 30 other files (none is malicious) 20->82 dropped 108 Hides threads from debuggers 20->108 38 cmd.exe 1 20->38         started        41 AddInProcess32.exe 3 20->41         started        76 C:\Users\user\SystemRootDoc\favor2.exe, PE32+ 26->76 dropped 78 C:\Users\user\...\vcruntime140_1.dll, PE32+ 26->78 dropped 80 C:\Users\user\...\vcruntime140.dll, PE32+ 26->80 dropped 84 30 other files (none is malicious) 26->84 dropped 110 Writes to foreign memory regions 26->110 112 Allocates memory in foreign processes 26->112 114 Injects a PE file into a foreign processes 26->114 44 cmd.exe 1 26->44         started        46 AddInProcess32.exe 1 26->46         started        48 InstallUtil.exe 30->48         started        50 AddInProcess32.exe 30->50         started        52 AddInProcess32.exe 34->52         started        signatures9 process10 dnsIp11 116 Uses cmd line tools excessively to alter registry or file data 38->116 54 cmd.exe 1 38->54         started        57 conhost.exe 38->57         started        96 favor.ydns.eu 178.215.224.234, 2627, 49874, 49902 LVLT-10753US Germany 41->96 118 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->118 59 cmd.exe 1 44->59         started        61 conhost.exe 44->61         started        63 WerFault.exe 48->63         started        signatures12 process13 signatures14 120 Uses cmd line tools excessively to alter registry or file data 54->120 65 reg.exe 1 1 54->65         started        68 reg.exe 1 1 59->68         started        process15 signatures16 98 Creates an autostart registry key pointing to binary in C:\Windows 65->98
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a03cee4520d0983d7bcc4717dc6143384c2d7d2ca3ef1a587f11fbb0fe90792b
Gathering data
Threat name:
Win64.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2025-02-05 00:04:05 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ua6o4rja2cmd266mi4l5yykdhbgc27jmupxruwd7ch53b7uqpevq._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery persistence rat trojan
Link:
https://tria.ge/reports/250213-l36dzaxkft/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
favor.ydns.eu:2627
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2c8b37d0-655c-4e5f-b024-f87f759ab284
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a03cee4520d0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202409_html_FedEx_phish
Create hunting rule
Author:abuse.ch
Description:Detects potential HTML FedEx phishing forms
Rule name:APT_Bitter_ZxxZ_Downloader
Create hunting rule
Author:SECUINFRA Falcon Team (@SI_FalconTeam)
Description:Detects Bitter (T-APT-17) ZxxZ Downloader
Reference:https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh
Rule name:attack_India
Create hunting rule
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_beacon_detected
Create hunting rule
Author:0x0d4y
Description:This rule detects cobalt strike beacons.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Mimikatz_Generic
Create hunting rule
Author:Still
Description:attempts to match all variants of Mimikatz
Rule name:MoleBoxv20
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:skip20_sqllang_hook
Create hunting rule
Author:Mathieu Tartare <mathieu.tartare@eset.com>
Description:YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.
Reference:https://www.welivesecurity.com/
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments