MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a79144ac2441047775ba349433a8b27aed0c8087aae033e68fa21692412abef9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	a79144ac2441047775ba349433a8b27aed0c8087aae033e68fa21692412abef9
SHA3-384 hash:	f00576c8baab36dc3a80c7968c2f65ac51c86c3d59cab2697d5c39fa2eb3e4b9a398d235b827234c8ccd01a36d89163e
SHA1 hash:	44389b98bdcf466f5f6f377d2c88a583f2062bf7
MD5 hash:	e591e88d4062e6d0bcc2f41e48ae923a
humanhash:	six-eighteen-lima-maryland
File name:	a79144ac2441047775ba349433a8b27aed0c8087aae033e68fa21692412abef9
Download:	download sample
Signature	XWorm Create hunting rule
File size:	536'656 bytes
First seen:	2025-12-08 14:30:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6e7f9a29f2c85394521a08b9f31f6275 (300 x GuLoader, 53 x RemcosRAT, 51 x VIPKeylogger)
ssdeep	12288:4MweUzNb/ZuMCWMIsDQPmKwj7BTyjkGWbe:4MweUzNb/ZYWMIs/j9+jB6e
TLSH	T124B412817385C083DA7255701EA5CE752B76FD3AA990878732C4BF1B7DB32425A1FB0A
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	adrian__luca
Tags:	exe signed xworm

Code Signing Certificate

Organisation:	zairere
Issuer:	zairere
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-09-15T00:23:34Z
Valid to:	2026-09-15T00:23:34Z
Serial number:	7e5551ff2829a2842a82a8861683df3b8cbb199c
Thumbprint Algorithm:	SHA256
Thumbprint:	6afeb94b3203096bfaa71dbb50f566915d724ff156d5904f2304b7d54e34f451
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/ec9047e9-f96d-46bf-bf3d-88ee11b653c3/

Malware family:

n/a

ID:

File name:

a79144ac2441047775ba349433a8b27aed0c8087aae033e68fa21692412abef9

Verdict:

Malicious activity

Analysis date:

2025-12-08 15:09:30 UTC

Tags:

pastebin remote xworm stealer

Link:

https://app.any.run/tasks/de0fcb25-b41c-4380-9c03-8a2e90cbc48e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/43025/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6936e13fdb58e1a2c22b80b2

Tags:

injection obfusc virus

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/a79144ac2441047775ba349433a8b27aed0c8087aae033e68fa21692412abef9

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-09T21:30:00Z UTC

Last seen:

2025-12-10T12:15:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/a79144ac2441047775ba349433a8b27aed0c8087aae033e68fa21692412abef9/results?tab=lookup

Malware family:

Unlabeled

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d92439cb-8acb-4bc9-8f5c-544d86805e5c

Score:

84%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a79144ac2441047775ba349433a8b27aed0c8087aae033e68fa21692412abef9

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/e591e88d4062e6d0bcc2f41e48ae923a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a79144ac2441047775ba349433a8b27aed0c8087aae033e68fa21692412abef9/

Threat name:

Win32.Trojan.GuLoader

Status:

Malicious

First seen:

2025-11-10 00:06:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 36 (52.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=u6iujlbeiecho5n2gskdhkfsplwqzaehvlqdhzupuiljeqjkx34q._file

Result

Malware family:

xworm

Score:

10/10

Tags:

family:guloader family:xworm collection discovery downloader rat spyware stealer trojan

Link:

https://tria.ge/reports/251208-rvxdzsykbm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Detect Xworm Payload

Guloader family

Guloader,Cloudeye

Xworm

Xworm family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3ab04fe9-2f6b-4daf-9e91-db8d61e820c7

Unpacked files

SH256 hash:

a79144ac2441047775ba349433a8b27aed0c8087aae033e68fa21692412abef9

MD5 hash:

e591e88d4062e6d0bcc2f41e48ae923a

SHA1 hash:

44389b98bdcf466f5f6f377d2c88a583f2062bf7

Link:

https://www.unpac.me/results/06a70ba6-30d9-4b36-822c-f9091ec48b44/

SH256 hash:

6bf9cccd8a600f4d442efe201e8c07b49605ba35f49a4b3ab22fa2641748e156

MD5 hash:

48f3e7860e1de2b4e63ec744a5e9582a

SHA1 hash:

420c64d802a637c75a53efc8f748e1aede3d6dc6

Link:

https://www.unpac.me/results/06a70ba6-30d9-4b36-822c-f9091ec48b44/

SH256 hash:

7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

MD5 hash:

564bb0373067e1785cba7e4c24aab4bf

SHA1 hash:

7c9416a01d821b10b2eef97b80899d24014d6fc1

Link:

https://www.unpac.me/results/06a70ba6-30d9-4b36-822c-f9091ec48b44/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a79144ac2441047775ba349433a8b27aed0c8087aae033e68fa21692412abef9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/43025/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample