MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3b8536a04550944ecf85c48127505e50082b6ec876f085283837454f4a8101f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3b8536a04550944ecf85c48127505e50082b6ec876f085283837454f4a8101f
SHA3-384 hash: 770d436d25abcef1735ff7f55c3bfb8fd4511c3ec99b8e22063604d8916ee7f8deda7d00fd4aed2b165928c7bf54b7cb
SHA1 hash: 30fa446b5ef34c795dc7879ac8c5479ca94ad2b6
MD5 hash: 6eca361569dc360689f052ea75c090f0
humanhash: emma-may-jig-kitten
File name:LBzdp1L.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:2'293'248 bytes
First seen:2025-08-04 11:25:33 UTC
Last seen:2025-08-04 13:19:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:4YnItr9N7P/CxuvdTSa0RtA7jUvMaMiPzoDhHgy:NgND/CWT4R8wFMYodAy
Threatray 6 similar samples on MalwareBazaar
TLSH T178B5335C3E268B15CFA0033775D887105CACA416882A681CBD6739CF653AD5E4EFA9E2
TrID 52.9% (.EXE) Win32 Executable (generic) (4504/4/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
185.163.204.65:49257

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.163.204.65:49257 https://threatfox.abuse.ch/ioc/1564195/

Intelligence

File Origin
# of uploads :
3
# of downloads :
48
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LBzdp1L.exe
Verdict:
Malicious activity
Analysis date:
2025-08-04 11:27:06 UTC
Tags:
remote xworm themida
Link:
https://app.any.run/tasks/3461c833-00ee-4b6c-9305-1acfd42335bb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18775/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.12564399.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689098dd0b4775fb21360b9d
Tags:
vmdetect virus
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Connection attempt
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/689098de32e61090868c8ca5/reports/9af6a5a1-358d-473b-ac17-cb569cb885b7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/a3b8536a04550944ecf85c48127505e50082b6ec876f085283837454f4a8101f
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f0d3cb54-af09-45c9-af93-088d3ff8a7e9
Result
Threat name:
VioletWorm, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1749781
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected VioletWorm
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a3b8536a04550944ecf85c48127505e50082b6ec876f085283837454f4a8101f
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/6eca361569dc360689f052ea75c090f0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a3b8536a04550944ecf85c48127505e50082b6ec876f085283837454f4a8101f/
Verdict:
Malicious
Threat:
HEUR:Trojan.Win32
Link:
https://tip.neiki.dev/file/a3b8536a04550944ecf85c48127505e50082b6ec876f085283837454f4a8101f
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-08-04 11:26:18 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uo4fg2qekueuj3hylrebe5if4uaifnxmq5xqquudqn2fj5ficapq._file
Verdict:
malicious
Label(s):
sorano
Create hunting rule
Similar samples:
42d33278d9c7b2cafc21199aec5788652403aa94f72515b2854dce75e420b27c
XWorm
5cd7d53733a1e7dfb496049ad7fc768cbb4fd7c72c5a74224abd2e5ed13411c3
XWorm
69ff5a476cc8159d19f557a74c3d96e0f16c33d5543b2d01506440164ca504d9
XWorm
73dd3c2f38c4ff75912b0a4a7f8d463efb71a362ae6a7c84a7dd58728fa8806b
XWorm
a3b8536a04550944ecf85c48127505e50082b6ec876f085283837454f4a8101f
XWorm
b6e53366dbd7c6665db9bb826ba00d769c8e4cfd8e4f43081b77ff822a55d839
XWorm
error
XWorm
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/250804-njxzlabp7t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/485aeed0-884e-42b1-9f92-329f87e59638
Unpacked files
SH256 hash:
a3b8536a04550944ecf85c48127505e50082b6ec876f085283837454f4a8101f
MD5 hash:
6eca361569dc360689f052ea75c090f0
SHA1 hash:
30fa446b5ef34c795dc7879ac8c5479ca94ad2b6
Link:
https://www.unpac.me/results/1f320f91-a65e-47e3-9f5d-d967a2a51358/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a3b8536a04550944ecf85c48127505e50082b6ec876f085283837454f4a8101f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe a3b8536a04550944ecf85c48127505e50082b6ec876f085283837454f4a8101f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3596100/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/18775/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments