MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a67dcfbda4c679aab573e9bea364d8f1a41ea29ce0ae7b609bc16242e3cba434. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a67dcfbda4c679aab573e9bea364d8f1a41ea29ce0ae7b609bc16242e3cba434
SHA3-384 hash: c090333c00f7087b8f0f536069bff2c6026d5d86cba0a56f6441119783aa8aff7fbd626fbbb29905ea736389dc3d1a70
SHA1 hash: b07b1280ced06031d5fb2508193b6d2c6ffcdc92
MD5 hash: d0f3161df3a38e33c5a338c195b3b801
humanhash: blue-magazine-speaker-seven
File name:d0f3161df3a38e33c5a338c195b3b801.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:688'960 bytes
First seen:2025-03-26 07:01:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 12288:yToPWBv/cpGrU3yirxXnlyAEfjwezsWRJaPvNww8kv4LV0XB1:yTbBv5rURxXlyHfjXzsqJkvNl8s4LV0b
Threatray 1'683 similar samples on MalwareBazaar
TLSH T194E4F122BFE584B2D47319325A24672169BCB9103FA98EFFA3804E5DD9315C3E731762
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10522/11/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 68e082410096e0e8 (1 x XWorm)
Reporter abuse_ch
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
481
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
d0f3161df3a38e33c5a338c195b3b801.exe
Verdict:
Malicious activity
Analysis date:
2025-03-26 07:03:10 UTC
Tags:
crypto-regex quasar remote xworm
Link:
https://app.any.run/tasks/1f9b8121-734c-45a8-b5d4-d7defc6ce710

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e3a67b12b5dc44da3e2bac
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Creating a file in the system32 subdirectories
Launching a process
Creating a process with a hidden window
Connection attempt
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Running batch commands
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm asyncrat backdoor backnet cmd config-extracted explorer fingerprint hacktool installer keylogger lolbin microsoft_visual_cc njrat overlay packed packed packer_detected quasarrat rat reconnaissance remote runonce schtasks sfx vermin xworm
Link:
https://www.filescan.io/uploads/67e3a67cf274bf2d8e226ee6/reports/94193e98-1ff2-4524-b503-ba871d569cc0/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a67dcfbda4c679aab573e9bea364d8f1a41ea29ce0ae7b609bc16242e3cba434
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/24f456cd-268c-4e47-a9af-6a1c6878458f
Result
Threat name:
Quasar, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1648784
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Quasar RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1648784 Sample: 9I0bWEd8J8.exe Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 96 ipwho.is 2->96 106 Suricata IDS alerts for network traffic 2->106 108 Found malware configuration 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 11 other signatures 2->112 12 9I0bWEd8J8.exe 5 2->12         started        16 svchost.exe 2->16         started        19 fontdrvhost.exe 2->19         started        signatures3 process4 dnsIp5 90 C:\RunShell\RunVBC.exe, PE32 12->90 dropped 92 C:\RunShell\PowerShellRun.exe, PE32 12->92 dropped 148 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->148 21 RunVBC.exe 5 12->21         started        25 PowerShellRun.exe 5 12->25         started        94 127.0.0.1 unknown unknown 16->94 file6 signatures7 process8 file9 84 C:\Users\user\AppData\Local\Temp\exenly.exe, PE32 21->84 dropped 114 Antivirus detection for dropped file 21->114 116 Multi AV Scanner detection for dropped file 21->116 118 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->118 126 3 other signatures 21->126 27 exenly.exe 21->27         started        31 cmd.exe 21->31         started        33 powershell.exe 23 21->33         started        35 powershell.exe 21->35         started        86 C:\Windows\System32\...\fontdrvhost.exe, PE32 25->86 dropped 120 Drops executables to the windows directory (C:\Windows) and starts them 25->120 122 Uses schtasks.exe or at.exe to add and modify task schedules 25->122 124 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->124 37 fontdrvhost.exe 2 25->37         started        40 schtasks.exe 1 25->40         started        signatures10 process11 dnsIp12 88 C:\Windows\System32\WmiPrvSE.exe, PE32 27->88 dropped 134 Antivirus detection for dropped file 27->134 136 Drops executables to the windows directory (C:\Windows) and starts them 27->136 138 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->138 42 WmiPrvSE.exe 27->42         started        46 schtasks.exe 27->46         started        48 cmd.exe 31->48         started        50 conhost.exe 31->50         started        140 Suspicious powershell command line found 33->140 142 Adds a directory exclusion to Windows Defender 33->142 144 Loading BitLocker PowerShell Module 33->144 52 conhost.exe 33->52         started        54 conhost.exe 35->54         started        98 89.39.121.77, 1497, 49681, 49683 NG-ASSosBucuresti-Ploiestinr42-44RO Romania 37->98 146 Multi AV Scanner detection for dropped file 37->146 56 schtasks.exe 37->56         started        58 conhost.exe 40->58         started        file13 signatures14 process15 dnsIp16 100 ipwho.is 15.204.213.5, 443, 49705 HP-INTERNET-ASUS United States 42->100 128 Antivirus detection for dropped file 42->128 130 Hides that the sample has been downloaded from the Internet (zone.identifier) 42->130 132 Installs a global keyboard hook 42->132 60 schtasks.exe 42->60         started        62 conhost.exe 46->62         started        64 powershell.exe 48->64         started        67 conhost.exe 48->67         started        69 cmd.exe 48->69         started        71 timeout.exe 48->71         started        73 conhost.exe 56->73         started        signatures17 process18 signatures19 75 conhost.exe 60->75         started        102 Suspicious powershell command line found 64->102 104 Adds a directory exclusion to Windows Defender 64->104 77 powershell.exe 64->77         started        80 powershell.exe 64->80         started        process20 signatures21 150 Loading BitLocker PowerShell Module 77->150 82 conhost.exe 77->82         started        process22
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a67dcfbda4c679aab573e9bea364d8f1a41ea29ce0ae7b609bc16242e3cba434
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a67dcfbda4c679aab573e9bea364d8f1a41ea29ce0ae7b609bc16242e3cba434/
Threat name:
ByteCode-MSIL.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2025-03-23 08:26:24 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
25 of 36 (69.44%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uz647pneyz42vnlt5g7kgzgy6gsb5iu44cxhwye3yfrefy6luq2a._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
quasarrat
Create hunting rule
Similar samples:
390ba9da469491e34db509524293b00feb22b768a11c0792d67c92b17881a521
XWorm
432c99b8f1108ed0d94b7b1e620b230f8f55c47ca62c0fcdd1a3afac8548f239
XWorm
8eb536889388dec37d3033464067b41e852469161a1b8d9b6e6b60059f886177
XWorm
996c4e5418405912b929e7916def0a6c0aaedf77065ec5725f4782b00fb1464e
XWorm
a67dcfbda4c679aab573e9bea364d8f1a41ea29ce0ae7b609bc16242e3cba434
XWorm
ac15d82441447b30e13ba57c3c2ab12dae50e7396c74991393bd225f3784aab9
XWorm
daaa0aa0dc9c10baf105b5aa376724f2cee7ea5b6d01372b2504b1157437c294
XWorm
df8681d0996879d5d5c077c4f0329ed60a03b57ce37019c5a9b100668c77dbbe
XWorm
ee36a898fbb39c6eb37439b007417831d705ce94fe376a15a87f7a1b2423285c
XWorm
error
XWorm
f56bd344f2e9650ba6def3340bc5ac26472ea615744b38786d5445a75a0e51b4
XWorm
+ 1'673 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:quasar family:xworm botnet:xworc botnet:xworm discovery execution rat spyware trojan
Link:
https://tria.ge/reports/250326-htxhxsslw7/
Behaviour
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in System32 directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Quasar RAT
Quasar family
Quasar payload
Xworm
Xworm family
Malware Config
C2 Extraction:
89.39.121.77:7777
89.39.121.77:1497
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3704fd72-72c5-4578-a6ec-99c218fc0636
Unpacked files
SH256 hash:
a67dcfbda4c679aab573e9bea364d8f1a41ea29ce0ae7b609bc16242e3cba434
MD5 hash:
d0f3161df3a38e33c5a338c195b3b801
SHA1 hash:
b07b1280ced06031d5fb2508193b6d2c6ffcdc92
Link:
https://www.unpac.me/results/5ce63a02-0120-4d02-8372-eff2fc7bf807/
SH256 hash:
651d5f75caeb2c7ca14a1e233ab02948a6c37fad1fdbce198942f926868666a7
MD5 hash:
0c41d47025d832447e6c1ee4cdf32a90
SHA1 hash:
c5cee5002e77484aea9e3695d15d25dd685bdc60
Detections:
QuasarRAT
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
Vermin_Keylogger_Jan18_1
Create hunting rule
MAL_BackNet_Nov18_1
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_QuasarStealer
Create hunting rule
Link:
https://www.unpac.me/results/5ce63a02-0120-4d02-8372-eff2fc7bf807/
SH256 hash:
bba9a6ae7b2d6f3c71579e33c77538e6ee609d8ba6e075cacd69e06ec357bc23
MD5 hash:
4a09076528c90a8f1dc3be0d6035b965
SHA1 hash:
9e682cc33398bd2e624fdb7c87755f40e6d5a07f
Detections:
win_xworm_w0
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/5ce63a02-0120-4d02-8372-eff2fc7bf807/
SH256 hash:
dacbf4864d8f85ee60c08d61b7f71d217f398e443145ec0649156289e3871d34
MD5 hash:
cc3725b249b3e7f918323f7b63bf7b6f
SHA1 hash:
e0e030cb1a2ea8e75b9de2fcee024db4cf56c7a5
Detections:
win_asyncrat_w0
Create hunting rule
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
HKTL_NET_GUID_Quasar
Create hunting rule
asyncrat
Create hunting rule
Link:
https://www.unpac.me/results/5ce63a02-0120-4d02-8372-eff2fc7bf807/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a67dcfbda4c679aab573e9bea364d8f1a41ea29ce0ae7b609bc16242e3cba434

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments