MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abe5a2957e1f2b45fbb5a6ab326e7c5b736014537eeab13a436ed033fa5ca532. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 16

Intelligence 16 IOCs YARA 5 File information Comments

SHA256 hash:	abe5a2957e1f2b45fbb5a6ab326e7c5b736014537eeab13a436ed033fa5ca532
SHA3-384 hash:	b9e10c1589ce36089e7eb210aaf5fda18b349a143e27195f08664d2dc3433bbf7fb39d116b177a1d4442a308826bedba
SHA1 hash:	f7e5c650ece123b7f7edf89f1fd954e4b9c9a14e
MD5 hash:	0357e5630839352ab57bdfe962848cb9
humanhash:	lamp-east-football-zulu
File name:	abe5a2957e1f2b45fbb5a6ab326e7c5b736014537eeab13a436ed033fa5ca532
Download:	download sample
Signature	XWorm Create hunting rule
File size:	1'593'344 bytes
First seen:	2025-11-06 10:30:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b40609de886ef72ceb73cff55949ffee (3 x a310Logger, 2 x DBatLoader, 1 x AgentTesla)
ssdeep	24576:VfDh9RTCMxKy+9CunRyQlh15QWrbuGUHT+h15QWrbuGUHTL:VF7TtEp7pHQEpHQH
Threatray	174 similar samples on MalwareBazaar
TLSH	T1EF75E011F291847BD126153E9C2BEBD6282DBE642F14B81E7BDD1E0D7F3D6C27826092
TrID	35.4% (.EXE) Win64 Executable (generic) (10522/11/4) 22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.1% (.EXE) Win32 Executable (generic) (4504/4/1) 6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	adrian__luca
Tags:	exe xworm

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

abe5a2957e1f2b45fbb5a6ab326e7c5b736014537eeab13a436ed033fa5ca532

Verdict:

Malicious activity

Analysis date:

2025-11-06 12:47:10 UTC

Tags:

delphi auto-sch xworm

Link:

https://app.any.run/tasks/dbd310d9-d345-4bb6-a781-c7c184bd879a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/35750/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690c7907ea0f3e915c23801b

Tags:

delphi emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file

Launching a process

Creating a process with a hidden window

Moving of the original file

Connection attempt to an infection source

Enabling autorun by creating a file

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/abe5a2957e1f2b45fbb5a6ab326e7c5b736014537eeab13a436ed033fa5ca532

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-14T06:03:00Z UTC

Last seen:

2025-11-07T21:15:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/abe5a2957e1f2b45fbb5a6ab326e7c5b736014537eeab13a436ed033fa5ca532/results?tab=lookup

Malware family:

ModiLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c515f670-6285-4be7-ae6f-bd1c9a5d9a03

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/abe5a2957e1f2b45fbb5a6ab326e7c5b736014537eeab13a436ed033fa5ca532

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/0357e5630839352ab57bdfe962848cb9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/abe5a2957e1f2b45fbb5a6ab326e7c5b736014537eeab13a436ed033fa5ca532/

Threat name:

Win32.Trojan.DBatLoader

Status:

Malicious

First seen:

2025-10-14 09:17:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 36 (69.44%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vps2ffl6d4vul65vu2vte3t4lnzwafctp3vlcosdn3idh6s4uuza._file

Verdict:

malicious

Label(s):

donutloader

dbatloader

XWorm

29c0926ce65fb1f21dbf99788c837a9d281dbf14ce231c6c48cd97048bbc0278

XWorm

68e4f5fa48a43147614b9ded12822c3342d43c67acc20dda2b65e45bf2547af6

XWorm

a09e35a027bd67de817db93775499f961dce2cb86775a633d8c37c36f08318a9

XWorm

d5ee487c616532dab3c06755f8df4d201072d815e687f7e495b24781172f8313

XWorm

+ 164 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:modiloader family:xworm discovery execution persistence rat trojan

Link:

https://tria.ge/reports/251106-mj8knazmdx/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

ModiLoader Second Stage

Detect Xworm Payload

ModiLoader, DBatLoader

Modiloader family

Xworm

Xworm family

Malware Config

C2 Extraction:

198.12.126.169:8823

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ad3a81d7-189a-44da-b72b-7fe2c9a4969a

Unpacked files

SH256 hash:

abe5a2957e1f2b45fbb5a6ab326e7c5b736014537eeab13a436ed033fa5ca532

MD5 hash:

0357e5630839352ab57bdfe962848cb9

SHA1 hash:

f7e5c650ece123b7f7edf89f1fd954e4b9c9a14e

Link:

https://www.unpac.me/results/ec6041c3-861c-4975-8730-c6f830d9120a/

SH256 hash:

7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

MD5 hash:

c116d3604ceafe7057d77ff27552c215

SHA1 hash:

452b14432fb5758b46f2897aeccd89f7c82a727d

Link:

https://www.unpac.me/results/ec6041c3-861c-4975-8730-c6f830d9120a/

SH256 hash:

3e9fedb9328eb488c37b1c4e80a7fe38e93ceb26a345a22c3f0bdd33dab658ff

MD5 hash:

8be2550629388c6ff99b18e2ca6a4c40

SHA1 hash:

f558f5dbb846720fb32376453739670e8498f099

Detections:

Typical_Malware_String_Transforms

Link:

https://www.unpac.me/results/ec6041c3-861c-4975-8730-c6f830d9120a/

Parent samples :

f8d8e8cefdddc14bd1efd94853b1259109f35811f51082dfd33cb275f87ddb23
14414264593e79ab0c9c313398fa15fceb763616e6bea0a1c3ebddf2a117a8ab
a09e35a027bd67de817db93775499f961dce2cb86775a633d8c37c36f08318a9
24797e25716cbf6769a7437f693e9570e8cabfad8fcbe1c54b46b3c638cc6fd6
abe5a2957e1f2b45fbb5a6ab326e7c5b736014537eeab13a436ed033fa5ca532
a56471a8ae7e25b0114659b58771838d0f1dbeb4e1f0e562cc50202372fd3273

Malware family:

DonutLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/abe5a2957e1f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/abe5a2957e1f2b45fbb5a6ab326e7c5b736014537eeab13a436ed033fa5ca532

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/35750/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample