MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4f90684e668c0b9fcaeec86477817cb14761b41d75016e9d16e006896641915. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 18

Intelligence 18 IOCs YARA 16 File information Comments

SHA256 hash:	a4f90684e668c0b9fcaeec86477817cb14761b41d75016e9d16e006896641915
SHA3-384 hash:	3b80177612bdeb9a1ecaeb4f622ec6ffe9c6940ef5ca5ccc0df1ec1296741c96f29f9b3bb84d494143b411b9a1413e67
SHA1 hash:	470da9bff0f6eda8915fc916fc1c8534b1b889b1
MD5 hash:	5e34804b4d5660b195013d46a35d6dc9
humanhash:	cola-tennessee-equal-cold
File name:	DHL-STATEMENT#9845642316278546098765.exe
Download:	download sample
Signature	XWorm Create hunting rule
File size:	33'280 bytes
First seen:	2025-07-26 13:03:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	768:116zY0FPCQvGFbO75SCVFo9j0VOjhIHbJ:T6zYHQ+bO75SYFo9jSOjCHN
Threatray	1'873 similar samples on MalwareBazaar
TLSH	T115E23C4877E08312C9FEAFF12DF2710A1275E11B9823EF5E0CD889963B67AC146507E6
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	abuse_ch
Tags:	DHL exe xworm

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

_a4f90684e668c0b9fcaeec86477817cb14761b41d75016e9d16e006896641915.exe

Verdict:

Malicious activity

Analysis date:

2025-07-26 13:18:24 UTC

Tags:

xworm

Link:

https://app.any.run/tasks/2083b714-4236-45e8-8182-10e5da259077

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/16997/

Detection(s):

Win.Packed.njRAT-10002074-1

Win.Packed.Msilzilla-10019837-0

Win.Packed.Loveletter-10023052-0

Win.Packed.Loveletter-10024677-0

Win.Packed.Msilzilla-10026193-0

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL

ditekSHen.MALWARE.Win.XWorm.UNOFFICIAL

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6884d2590b4775fb21317e36

Tags:

asyncrat stration micro remo

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Connection attempt to an infection source

Sending a TCP request to an infection source

Verdict:

Malicious

Labled as:

Jalapeno.Generic

Link:

https://www.hybrid-analysis.com/sample/a4f90684e668c0b9fcaeec86477817cb14761b41d75016e9d16e006896641915

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7bac5d76-3c2e-464a-81f6-fb1300ff98b5

Result

Threat name:

XWorm

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1744675

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a4f90684e668c0b9fcaeec86477817cb14761b41d75016e9d16e006896641915

Verdict:

njRat

YARA:

14 match(es)

Tags:

.Net Executable njRat PE (Portable Executable) RAT SOS: 0.21 Win 32 Exe x86

Link:

https://app.malva.re/file/5e34804b4d5660b195013d46a35d6dc9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a4f90684e668c0b9fcaeec86477817cb14761b41d75016e9d16e006896641915/

Verdict:

Malicious

Threat:

Backdoor.MSIL.XWorm

Link:

https://tip.neiki.dev/file/a4f90684e668c0b9fcaeec86477817cb14761b41d75016e9d16e006896641915

Threat name:

ByteCode-MSIL.Spyware.AsyncRAT

Status:

Malicious

First seen:

2025-07-24 14:33:32 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

31 of 35 (88.57%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ut4qnbhgndalt7fo5sdeo6axzmkhmg2b25ibn2ornyagrftedekq._file

Verdict:

malicious

Label(s):

xworm

XWorm

4c3c7c82fef77195b527cac193188f01065d38da118efdd8d51d8fb53f5af87e

XWorm

839ac710d88eef9e5eaaa68183cd2f5fec297b7094263582d3e5441cf396db50

XWorm

83e2f195b6ee3786b760b3f993a19dc3cab3430f8be98e06dcb18152acd6d709

XWorm

a90c46b549a798b086e2ef3ee17728c7456cdf3730b25f50500143e3a56de1f8

XWorm

ec86bb0fad6916b5f2ec59b29bbda6212d6feefb2e56f84fa95bbb3b8e13de01

XWorm

fd507e33cd59e92d5ab4abaeb54a2b2f60194c7075441d7f1d3c92c774456a8e

XWorm

+ 1'863 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm rat trojan

Link:

https://tria.ge/reports/250726-qa5desztfv/

Behaviour

Suspicious use of AdjustPrivilegeToken

Detect Xworm Payload

Xworm

Xworm family

Malware Config

C2 Extraction:

107.175.148.91:8085

Verdict:

Malicious

Tags:

rat xworm Win.Packed.njRAT-10002074-1

YARA:

MALWARE_Win_XWorm win_mal_XWorm

Link:

https://app.threat.zone/submission/b51a3995-fe79-4658-bcb8-823953ac8b10

Unpacked files

SH256 hash:

a4f90684e668c0b9fcaeec86477817cb14761b41d75016e9d16e006896641915

MD5 hash:

5e34804b4d5660b195013d46a35d6dc9

SHA1 hash:

470da9bff0f6eda8915fc916fc1c8534b1b889b1

Detections:

win_xworm_w0

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/77387a66-130f-464e-a023-5167d785e809/

Parent samples :

77b83e393ef87abb079566a928461c6348da9d6c3ab029d8781d97391d94adac
6a9f51fc80910555c294f00fc1d99907b22f0321f2a6b3db67a85192caf1a6d0
a4f90684e668c0b9fcaeec86477817cb14761b41d75016e9d16e006896641915

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a4f90684e668c0b9fcaeec86477817cb14761b41d75016e9d16e006896641915

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ByteCode_MSIL_Backdoor_AsyncRAT Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects AsyncRAT backdoor.

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	MALWARE_Win_AsyncRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AsyncRAT

Rule name:	MALWARE_Win_XWorm Create hunting rule
Author:	ditekSHen
Description:	Detects XWorm

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_DOTNET_PE_List_AV Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detecs .NET Binary that lists installed AVs

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	win_xworm_w0 Create hunting rule
Author:	jeFF0Falltrades
Description:	Detects win.xworm.

Rule name:	xworm Create hunting rule
Author:	jeFF0Falltrades

Rule name:	XWorm Create hunting rule
Author:	ditekSHen
Description:	Detects XWorm

Rule name:	xworm_kingrat Create hunting rule
Author:	jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/16997/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample