MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a91e3683c722e1297819b684bad319220bd0b05b3bb5bed88a7e06cf003fd9cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a91e3683c722e1297819b684bad319220bd0b05b3bb5bed88a7e06cf003fd9cb
SHA3-384 hash: cbda3354345b3eda6f04876ea7b8a05114cc6b176f8bb4784783d68a11354b74c3157fb26b372f438bddb07be5333fb2
SHA1 hash: 2f9a478aa2209d2aac3f52b8b9a8411befb99c2b
MD5 hash: 6c8b17644497de08842ebb8508c8cbb1
humanhash: dakota-alabama-table-bacon
File name:a91e3683c722e1297819b684bad319220bd0b05b3bb5bed88a7e06cf003fd9cb
Download: download sample
Signature XWorm
Create hunting rule
File size:435'784 bytes
First seen:2026-01-05 22:29:25 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash e3077cf7522cfe810fbbfc325fbe2fad (1 x XWorm)
ssdeep 6144:MbpVMRMdk/dOQYbuHBuQzjOqmxq7scRXL4pjXJ2tBlAstUCTeG/Ar++w:cMY0gQYcexq7scNEpjZlCTeh+3
TLSH T174945D01A6919034F9FF15F959BE256D983C7EE1172894CB93C429EF8A35AE0BD3031B
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter johnk3r
Tags:dll minacu-go-gov-br signed supphouse-minhacasa-tv xworm

Code Signing Certificate

Organisation:AURORA SOLUCOES & TURISMO LTDA
Issuer:SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:sha256WithRSAEncryption
Valid from:2025-10-13T21:51:43Z
Valid to:2026-10-13T21:51:43Z
Serial number: 18c1f0e7cac9039caff80eaddf948ee1
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: f2426bbb42ceb181d31d743936d9dce89bc9cdf307ce9f80358634d95b197afb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47785/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=695c3b82e148d42004dfb15d
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug fingerprint microsoft_visual_cc obfuscated signed
Link:
https://www.filescan.io/uploads/695c3b7fdb1b3f0505bdcd35/reports/2bf02035-2d0b-4e43-bd41-65003c06bec8/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a91e3683c722e1297819b684bad319220bd0b05b3bb5bed88a7e06cf003fd9cb
Verdict:
Clean
File Type:
dll x32
First seen:
2026-01-05T17:23:00Z UTC
Last seen:
2026-01-05T23:51:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/a91e3683c722e1297819b684bad319220bd0b05b3bb5bed88a7e06cf003fd9cb/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1ed8e6be-1399-42b7-8b26-af5c4c496760
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1845189
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1845189 Sample: Dtfoa2PZgW.dll Startdate: 05/01/2026 Architecture: WINDOWS Score: 56 19 Malicious sample detected (through community Yara rule) 2->19 21 Multi AV Scanner detection for submitted file 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 1 7->11         started        13 rundll32.exe 7->13         started        15 9 other processes 7->15 process5 17 rundll32.exe 9->17         started       
Score:
45%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/a91e3683c722e1297819b684bad319220bd0b05b3bb5bed88a7e06cf003fd9cb
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/6c8b17644497de08842ebb8508c8cbb1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a91e3683c722e1297819b684bad319220bd0b05b3bb5bed88a7e06cf003fd9cb/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/a91e3683c722e1297819b684bad319220bd0b05b3bb5bed88a7e06cf003fd9cb
Threat name:
Win32.Trojan.XWorm
Create hunting rule
Status:
Malicious
First seen:
2026-01-05 21:38:33 UTC
File Type:
PE (Dll)
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vepdna6helqss6azw2clvuyzeif5bmc3ho235wekpydm6ab73hfq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/260105-2gyd8sas2d/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
a91e3683c722e1297819b684bad319220bd0b05b3bb5bed88a7e06cf003fd9cb
MD5 hash:
6c8b17644497de08842ebb8508c8cbb1
SHA1 hash:
2f9a478aa2209d2aac3f52b8b9a8411befb99c2b
Link:
https://www.unpac.me/results/44568c50-e110-4391-ab42-44b27688c876/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a91e3683c722e1297819b684bad319220bd0b05b3bb5bed88a7e06cf003fd9cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

PureLogsStealer

Executable exe aa412cb3954e212d73da73ceb3fb468d74b2acbbdeb09ff3eb015c914bede0a0

XWorm

DLL dll a91e3683c722e1297819b684bad319220bd0b05b3bb5bed88a7e06cf003fd9cb

(this sample)

  
Dropped by
SHA256 aa412cb3954e212d73da73ceb3fb468d74b2acbbdeb09ff3eb015c914bede0a0
Cape
Cape
https://www.capesandbox.com/analysis/47785/
  
Dropped by
MD5 b13f04125bcf47f121c8618cc6384504

Comments