MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad13c0c0dfa76575218c52bd2a378ed363a0f0d5ce5b14626ee496ce52248e7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad13c0c0dfa76575218c52bd2a378ed363a0f0d5ce5b14626ee496ce52248e7a
SHA3-384 hash: f49c4eb67ffa4a83d9fb574e045bd699c212b9912e8d078e7eacef92ad57254822ceb056594266634c10f665102339a9
SHA1 hash: 2c27c7d08ba4132edfd33fc0330df293310f3a57
MD5 hash: 5176a2dcf4b6794c8123d68b037e5e07
humanhash: summer-alanine-angel-friend
File name:scrubcrypt binary.bin
Download: download sample
Signature XWorm
Create hunting rule
File size:28'160 bytes
First seen:2022-12-26 18:22:56 UTC
Last seen:2022-12-26 19:33:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:hSNkeSX6qQ/oEt4UJrqfWuWjwk1bHQFN8byMpK:h2Ztoy4URqf2fi38byJ
Threatray 904 similar samples on MalwareBazaar
TLSH T14EC2D01043D64E25E02E9578A9E3073C09B14942A362C7B9FCD4B1FAFDA867998971E2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter 0xToxin
Tags:exe scrubcrypt xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
200
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
scrubcrypt binary.bin
Verdict:
Malicious activity
Analysis date:
2022-12-26 18:23:21 UTC
Tags:
xworm
Link:
https://app.any.run/tasks/ef13f888-4266-4d86-b605-b80983e49b8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Generic.32728030.22604.27213.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Enabling the 'hidden' option for analyzed file
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Running batch commands
Creating a process from a recently created file
Creating a file
Creating a window
Enabling the 'hidden' option for recently created files
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63a9e6890fdf1633326c160d/reports/c908c716-3f06-46f7-856c-ac0c67430fde/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6655d187-0a9d-47e4-8706-d24165acb205
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1141224
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Schedule system process
Sigma detected: Schedule VBS From Appdata
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 773954 Sample: scrubcrypt binary.bin.exe Startdate: 26/12/2022 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 10 other signatures 2->70 9 scrubcrypt binary.bin.exe 3 6 2->9         started        13 wscript.exe 1 2->13         started        process3 file4 48 C:\Users\user\AppData\...\dEwbycmIkb.bat, PE32 9->48 dropped 50 C:\Users\user\AppData\...\dEwbycmIkb.vbs, ASCII 9->50 dropped 52 C:\Users\...\dEwbycmIkb.bat:Zone.Identifier, ASCII 9->52 dropped 54 C:\Users\...\scrubcrypt binary.bin.exe.log, CSV 9->54 dropped 72 Obfuscated command line found 9->72 15 wscript.exe 1 9->15         started        17 cmd.exe 1 9->17         started        20 powershell.exe 11 9->20         started        22 conhost.exe 9->22         started        24 dEwbycmIkb.bat 3 13->24         started        signatures5 process6 signatures7 26 dEwbycmIkb.bat 4 15->26         started        58 Uses schtasks.exe or at.exe to add and modify task schedules 17->58 30 conhost.exe 17->30         started        32 schtasks.exe 1 17->32         started        60 Deletes itself after installation 20->60 34 conhost.exe 20->34         started        62 Obfuscated command line found 24->62 36 powershell.exe 24->36         started        38 conhost.exe 24->38         started        process8 dnsIp9 56 hurricane.ydns.eu 85.209.134.253, 2311, 49685 CMCSUS Germany 26->56 74 Antivirus detection for dropped file 26->74 76 Multi AV Scanner detection for dropped file 26->76 78 Obfuscated command line found 26->78 80 Machine Learning detection for dropped file 26->80 40 powershell.exe 5 26->40         started        42 conhost.exe 26->42         started        44 conhost.exe 36->44         started        signatures10 process11 process12 46 conhost.exe 40->46         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad13c0c0dfa76575218c52bd2a378ed363a0f0d5ce5b14626ee496ce52248e7a/
Threat name:
Win32.Trojan.RealProtect
Create hunting rule
Status:
Malicious
First seen:
2022-12-25 00:03:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vuj4bqg7u5sxkimmkk6sun4o2nr2b4gvzznriyto4slm4urerz5a._file
Verdict:
malicious
Similar samples:
04ce543c01a4bace549f6be2d77eb62567c7b65edbbaebc0d00d760425dcd578
XWorm
20d023d654dba4e16ec122b6339633eea418652a30d599a8c4a9bc3698d26b46
XWorm
2e085282467ab80f8064d2557f4afea9a82ba68e52ccd6f6f4c75e0f81dd0b30
XWorm
47dbb2594cd5eb7015ef08b7fb803cd5adc1a1fbe4849dc847c0940f1ccace35
XWorm
814187405811f7d0e9593ae1ddf0a43ccbd9e8a37bee7688178487eeef3860c6
XWorm
81e8128aa6b5329f1dd0a72850a029956157ca6969178451f6136f291e0e5878
XWorm
9c287becd7e1b3a9599a6454176188595f279a82809af5ec6233684c34368aa2
XWorm
f612fed2c8845c7bacc9ac0d7263d0814932ec05939c28494d98ebbf7e163b79
XWorm
f83a161ef69ac7ab92c5386f3a7ab7528095a9926b2f89f0d95632a37c76d0b0
XWorm
+ 894 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm rat trojan
Link:
https://tria.ge/reports/221226-w1fqmsdd47/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Xworm
Malware Config
C2 Extraction:
hurricane.ydns.eu:2311
Unpacked files
SH256 hash:
f59374b1eddd6690c5e388f581a14764e2ac301856c81787696098c7c6362d59
MD5 hash:
9e8cd61db584464d3505a50d0a09620b
SHA1 hash:
cb4573de34de2f4873821a031fb392ddb6eadc8f
Link:
https://www.unpac.me/results/54436135-9e46-41a6-b66e-3baac561ad94/
SH256 hash:
ad13c0c0dfa76575218c52bd2a378ed363a0f0d5ce5b14626ee496ce52248e7a
MD5 hash:
5176a2dcf4b6794c8123d68b037e5e07
SHA1 hash:
2c27c7d08ba4132edfd33fc0330df293310f3a57
Link:
https://www.unpac.me/results/54436135-9e46-41a6-b66e-3baac561ad94/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad13c0c0dfa76575218c52bd2a378ed363a0f0d5ce5b14626ee496ce52248e7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat_Detection_Dec_2022
Create hunting rule
Author:Potatech
Description:AsyncRat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments