MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a22f6db007744f7768782280e66832487b3b193ff20825203bb56210b7c4e923. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a22f6db007744f7768782280e66832487b3b193ff20825203bb56210b7c4e923
SHA3-384 hash: e1e3c88185c76b88e67a9d439a7c266d75611aa46fa676a0cb06252eddc4e892abbc4c7cbdc77ed010c22e5e3ef4a8fb
SHA1 hash: d79653b53e3affa5081d25cdea077299105d0472
MD5 hash: 7949220a0b341111716a81695324be27
humanhash: bulldog-fish-network-finch
File name:file
Download: download sample
Signature XWorm
Create hunting rule
File size:194'048 bytes
First seen:2024-11-05 13:18:35 UTC
Last seen:2024-11-08 17:29:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2afc6980a7ebf889d0553bb0b21b68dd (2 x XWorm, 1 x LummaStealer)
ssdeep 3072:jqWg0oaxBGieuvQTtv6c/mTRPyZqqiIdhI+czv/gJQE7zK+l+2aVtUq9JosKh:jgP8GiHvQTV+d/qi25eKfU2cDJ18
TLSH T1B114CF14B5C2C0B3FDA7643115F4C9B6AA3EB9625B219DEB2394437D0E326C3853686F
TrID 49.9% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.6% (.EXE) OS/2 Executable (generic) (2029/13)
9.5% (.EXE) Generic Win/DOS Executable (2002/3)
9.4% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:31-13-224-189 exe xworm


Avatar
Bitsight
url: http://husktools.duckdns.org/xwo.exe

Intelligence

File Origin
# of uploads :
30
# of downloads :
409
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-05 13:21:22 UTC
Tags:
xworm remote lumma stealer
Link:
https://app.any.run/tasks/53cdfdd0-988e-46bf-aaf6-47f30e24fad5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.8920.16255.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672a1b4d49e92a05dde30c80
Tags:
malware
Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypto microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/672a1b516991fd18d4aaf307/reports/3d590076-51cd-4b3f-b10e-ef5b4ff5ad99/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a22f6db007744f7768782280e66832487b3b193ff20825203bb56210b7c4e923
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4fe170aa-0adf-4991-b9ca-a25a0a7155cc
Result
Threat name:
LummaC, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1549284
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected LummaC Stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1549284 Sample: file.exe Startdate: 05/11/2024 Architecture: WINDOWS Score: 100 73 husktools.duckdns.org 2->73 75 servicedny.site 2->75 77 10 other IPs or domains 2->77 85 Suricata IDS alerts for network traffic 2->85 87 Found malware configuration 2->87 89 Malicious sample detected (through community Yara rule) 2->89 93 12 other signatures 2->93 9 file.exe 1 2->9         started        12 XClient.exe 1 2->12         started        14 XClient.exe 1 2->14         started        16 5 other processes 2->16 signatures3 91 Uses dynamic DNS services 73->91 process4 signatures5 111 Contains functionality to inject code into remote processes 9->111 113 Writes to foreign memory regions 9->113 115 Allocates memory in foreign processes 9->115 117 Injects a PE file into a foreign processes 9->117 18 MSBuild.exe 16 7 9->18         started        23 WerFault.exe 22 16 9->23         started        25 conhost.exe 9->25         started        27 conhost.exe 12->27         started        29 conhost.exe 14->29         started        31 conhost.exe 16->31         started        33 conhost.exe 16->33         started        35 conhost.exe 16->35         started        37 2 other processes 16->37 process6 dnsIp7 79 husktools.duckdns.org 31.13.224.189, 443, 49764, 49789 SARNICA-ASBG Bulgaria 18->79 65 C:\Users\user\AppData\Local\Temp\zgxask.exe, PE32 18->65 dropped 67 C:\Users\user\AppData\Local\Temp\stuvei.exe, PE32 18->67 dropped 69 C:\Users\user\XClient.exe, PE32 18->69 dropped 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->95 97 Drops PE files to the user root directory 18->97 99 Uses schtasks.exe or at.exe to add and modify task schedules 18->99 39 stuvei.exe 18->39         started        42 zgxask.exe 1 18->42         started        44 schtasks.exe 1 18->44         started        71 C:\ProgramData\Microsoft\...\Report.wer, Unicode 23->71 dropped file8 signatures9 process10 signatures11 101 Machine Learning detection for dropped file 39->101 103 Injects a PE file into a foreign processes 39->103 105 LummaC encrypted strings found 39->105 46 stuvei.exe 39->46         started        50 WerFault.exe 39->50         started        53 conhost.exe 39->53         started        107 Multi AV Scanner detection for dropped file 42->107 109 Found many strings related to Crypto-Wallets (likely being stolen) 42->109 55 zgxask.exe 42->55         started        57 conhost.exe 42->57         started        59 WerFault.exe 42->59         started        61 conhost.exe 44->61         started        process12 dnsIp13 81 bakedstusteeb.shop 104.21.45.184, 443, 49991, 49993 CLOUDFLARENETUS United States 46->81 119 Query firmware table information (likely to detect VMs) 46->119 121 Found many strings related to Crypto-Wallets (likely being stolen) 46->121 123 Tries to harvest and steal ftp login credentials 46->123 125 2 other signatures 46->125 63 C:\ProgramData\Microsoft\...\Report.wer, Unicode 50->63 dropped 83 steamcommunity.com 104.102.49.254, 443, 49988 AKAMAI-ASUS United States 55->83 file14 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a22f6db007744f7768782280e66832487b3b193ff20825203bb56210b7c4e923
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a22f6db007744f7768782280e66832487b3b193ff20825203bb56210b7c4e923/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-11-05 13:19:05 UTC
File Type:
PE (Exe)
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uixw3mahorhxo2dyekaom2bsjb5twgj76ieckib3wvrbbn6e5erq._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery persistence rat trojan
Link:
https://tria.ge/reports/241105-qkhbmssepp/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Executes dropped EXE
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
husktools.duckdns.org:7000
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f928cd91-b12c-4ced-9524-0dbcd0fd6e53
Unpacked files
SH256 hash:
a22f6db007744f7768782280e66832487b3b193ff20825203bb56210b7c4e923
MD5 hash:
7949220a0b341111716a81695324be27
SHA1 hash:
d79653b53e3affa5081d25cdea077299105d0472
Link:
https://www.unpac.me/results/e9c474a4-cd35-4f9c-a6c7-481b40f9d09c/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe a22f6db007744f7768782280e66832487b3b193ff20825203bb56210b7c4e923

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3277102/
  
URLhaus
https://urlhaus.abuse.ch/url/3278187/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextA

Comments