MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b03cb23646dee8bd2b487c19017ed4bdcc7779e76fc27e016c73048cd9f311af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b03cb23646dee8bd2b487c19017ed4bdcc7779e76fc27e016c73048cd9f311af
SHA3-384 hash: 9b1e7bbf425a9a1d170e603ab851f1455fe962d96180904f5199e5d100b81c4772455678681d49d5ddc1137cfed18c9c
SHA1 hash: 2ecd296f1c61bc68c01678e439fd2243b3d03449
MD5 hash: 13430cbb2605ec4e89ed46333e60082a
humanhash: sierra-bacon-winter-alaska
File name:random.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:1'890'816 bytes
First seen:2025-04-30 08:33:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:3JcOeL/CNkseUMvSTB2TspfT1b9tLm0489:56aNk0oyosfBJ
Threatray 173 similar samples on MalwareBazaar
TLSH T17A9533C35DFC52BBFDADC23788EE8B4E89A93F21F3BF8168E553923213099520525459
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
478
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-30 08:38:53 UTC
Tags:
stealer lumma themida loader amadey botnet auto rdp
Link:
https://app.any.run/tasks/4a8e4667-9510-4663-983e-4af730ef834b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5186/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6811e182c8b2e86d0ac50d22
Tags:
phishing autorun
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt packed packed packer_detected xpack
Link:
https://www.filescan.io/uploads/6811e08246fe05453caac787/reports/33fea7a1-2479-46d6-91dd-5a89b9e6d7d1/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/b03cb23646dee8bd2b487c19017ed4bdcc7779e76fc27e016c73048cd9f311af
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3c81537f-7af5-4f95-8ea1-f2f741c49541
Result
Threat name:
Amadey, Credential Flusher, CryptOne, He
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1677993
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Credential Flusher
Yara detected CryptOne packer
Yara detected Healer AV Disabler
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1677993 Sample: random.exe Startdate: 30/04/2025 Architecture: WINDOWS Score: 100 98 pastebin.com 2->98 100 techsyncq.run 2->100 102 15 other IPs or domains 2->102 126 Suricata IDS alerts for network traffic 2->126 128 Found malware configuration 2->128 130 Antivirus detection for URL or domain 2->130 134 25 other signatures 2->134 10 saved.exe 4 44 2->10         started        15 random.exe 1 2->15         started        17 47ec952b93.exe 2->17         started        19 4 other processes 2->19 signatures3 132 Connects to a pastebin service (likely for C&C) 98->132 process4 dnsIp5 114 185.39.17.163, 49716, 49717, 49720 RU-TAGNET-ASRU Russian Federation 10->114 88 C:\Users\user\AppData\...\16dbe93034.exe, PE32+ 10->88 dropped 90 C:\Users\user\AppData\...\c5e14e223a.exe, PE32 10->90 dropped 92 C:\Users\user\AppData\...\b204c7bc62.exe, PE32 10->92 dropped 96 14 other malicious files 10->96 dropped 176 Contains functionality to start a terminal service 10->176 178 Creates multiple autostart registry keys 10->178 21 47ec952b93.exe 10->21         started        25 5bfd9963bb.exe 10->25         started        27 093f1a172d.exe 10->27         started        36 4 other processes 10->36 116 185.39.17.162, 49708, 49718, 49722 RU-TAGNET-ASRU Russian Federation 15->116 118 vecturar.top 104.21.62.226, 443, 49698, 49699 CLOUDFLARENETUS United States 15->118 94 C:\...\VTURUJ8W38RWKUA6K4SW7EMV7XMPHUE.exe, PE32 15->94 dropped 180 Detected unpacking (changes PE section rights) 15->180 182 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->182 184 Query firmware table information (likely to detect VMs) 15->184 200 5 other signatures 15->200 29 VTURUJ8W38RWKUA6K4SW7EMV7XMPHUE.exe 4 15->29         started        186 Tries to harvest and steal ftp login credentials 17->186 188 Tries to harvest and steal browser information (history, passwords, etc) 17->188 190 Tries to steal Crypto Currency Wallets 17->190 192 Tries to steal from password manager 17->192 31 chrome.exe 17->31         started        194 Suspicious powershell command line found 19->194 196 Tries to download and execute files (via powershell) 19->196 198 Hides threads from debuggers 19->198 34 powershell.exe 19->34         started        file6 signatures7 process8 dnsIp9 78 C:\Users\...\CJIMKV0TPPCF09KZ0TR0SQD5LN.exe, PE32 21->78 dropped 136 Antivirus detection for dropped file 21->136 138 Detected unpacking (changes PE section rights) 21->138 140 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->140 154 4 other signatures 21->154 38 CJIMKV0TPPCF09KZ0TR0SQD5LN.exe 21->38         started        156 5 other signatures 25->156 80 C:\Users\user\AppData\...\svchost015.exe, PE32 27->80 dropped 158 6 other signatures 27->158 41 svchost015.exe 27->41         started        82 C:\Users\user\AppData\Local\...\saved.exe, PE32 29->82 dropped 142 Multi AV Scanner detection for dropped file 29->142 144 Contains functionality to start a terminal service 29->144 146 Contains functionality to inject code into remote processes 29->146 44 saved.exe 29->44         started        120 192.168.2.11, 443, 49698, 49699 unknown unknown 31->120 46 chrome.exe 31->46         started        48 conhost.exe 34->48         started        122 steamcommunity.com 23.52.218.12, 443, 49719, 49725 TelecentroSAAR United States 36->122 124 victoreqs.run 172.67.157.242, 443, 49721, 49723 CLOUDFLARENETUS United States 36->124 84 C:\Users\user\AppData\Local\...\J0eCYF9mI.hta, HTML 36->84 dropped 148 Detected unpacking (creates a PE file in dynamic memory) 36->148 150 Query firmware table information (likely to detect VMs) 36->150 152 Binary is likely a compiled AutoIt script file 36->152 160 2 other signatures 36->160 50 mshta.exe 36->50         started        52 cmd.exe 36->52         started        54 taskkill.exe 36->54         started        56 5 other processes 36->56 file10 signatures11 process12 dnsIp13 104 185.156.72.196 ITDELUXE-ASRU Russian Federation 41->104 106 drive.usercontent.google.com 142.250.68.225 GOOGLEUS United States 41->106 162 Multi AV Scanner detection for dropped file 44->162 164 Contains functionality to start a terminal service 44->164 108 www.google.com 142.250.69.4 GOOGLEUS United States 46->108 110 plus.l.google.com 46->110 112 3 other IPs or domains 46->112 166 Suspicious powershell command line found 50->166 168 Tries to download and execute files (via powershell) 50->168 58 powershell.exe 50->58         started        170 Uses schtasks.exe or at.exe to add and modify task schedules 52->170 62 conhost.exe 52->62         started        64 schtasks.exe 52->64         started        66 conhost.exe 54->66         started        68 conhost.exe 56->68         started        70 conhost.exe 56->70         started        72 conhost.exe 56->72         started        74 conhost.exe 56->74         started        signatures14 process15 file16 86 Temp9UO359Z8DJEYQLF1TMGSIU2XYDZFLA0H.EXE, PE32 58->86 dropped 172 Found many strings related to Crypto-Wallets (likely being stolen) 58->172 174 Powershell drops PE file 58->174 76 conhost.exe 58->76         started        signatures17 process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b03cb23646dee8bd2b487c19017ed4bdcc7779e76fc27e016c73048cd9f311af
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b03cb23646dee8bd2b487c19017ed4bdcc7779e76fc27e016c73048cd9f311af/
Threat name:
Win32.Trojan.Lummac
Create hunting rule
Status:
Malicious
First seen:
2025-04-29 13:29:09 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wa6lensg33ul2k2ipqmqc7wuxxgho6phn7bh4almomcizwptcgxq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
amadey
Create hunting rule
Similar samples:
0d7498868db177729da82ff4652d944ab6d4700c7467e8b8a6a2a65b423042a2
XWorm
296497459462840bf9e8874e312088c4a85aae75d460d0d5bcc75a9d582343eb
XWorm
42d37e42110f177ffdfc32bc5655ba5b0b85031c110f5f36d681d336190d34ff
XWorm
46b2de15860d23bb541610209f307d5007f3811b0cdfcf3860f3a7d76ae42d5b
XWorm
8b0b20727462c5f3d5a4ace630d9690528dcefa79407480db3abde2455f700d8
XWorm
cc8607b4d2293f00f6e33b0869459019ba27813ecabb1ea884c23cca9c0f0d61
XWorm
ebe2c37bac602f6d0e7094b863f2f793cba9fa35a0a581d8702f153c2178b9fa
XWorm
error
XWorm
f767fa2879dc1d53e423e63f9d7773611002594c63fcfc0f02cf42bdee5b4731
XWorm
+ 163 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:healer family:lumma family:njrat family:quasar family:vidar family:xworm botnet:679baacdfb37d393d82955c1399602f6 botnet:f272e9 botnet:user credential_access defense_evasion discovery dropper execution persistence rat spyware stealer themida trojan
Link:
https://tria.ge/reports/250430-kggm2sxxg1/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
GoLang User-Agent
Kills process with taskkill
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Detect Vidar Stealer
Detect Xworm Payload
Detects Healer an antivirus disabler dropper
Healer
Healer family
Lumma Stealer, LummaC
Lumma family
Njrat family
Quasar RAT
Quasar family
Quasar payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Vidar family
Xworm
Xworm family
njRAT/Bladabindi
Malware Config
C2 Extraction:
https://vecturar.top/zsia
https://zenithcorde.top/auid
https://techguidet.digital/apdo
https://btcgeared.live/lbak
https://buzzarddf.live/ktnt
https://xtechsyncq.run/riid
https://parakehjet.run/kewk
https://pblockhubr.live/jhgf
https://wtechguidet.digital/apdo
https://techsyncq.run/riid
https://ibearjk.live/benj
https://pomelohgj.top/uiads
https://geographys.run/eirq
https://woodpeckersd.run/glsk
https://tropiscbs.live/iuwxx
https://biosphxere.digital/tqoa
https://ybearjk.live/benj
https://5datamanipy.run/bent
https://techchaiun.live/qwes
https://corexlaib.top/xzea
https://datawavej.digital/bafy
https://btechwaveg.run/oipz
https://datamanipy.run/bent
https://ddatawavej.digital/bafy
http://185.39.17.163
https://t.me/m00f3r
https://steamcommunity.com/profiles/76561199851454339
94.26.90.81:7771
94.26.90.81:7773
Dropper Extraction:
http://185.39.17.162/testmine/random.exe
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/755155cd-095e-4fe8-a704-50e474b94884
Unpacked files
SH256 hash:
b03cb23646dee8bd2b487c19017ed4bdcc7779e76fc27e016c73048cd9f311af
MD5 hash:
13430cbb2605ec4e89ed46333e60082a
SHA1 hash:
2ecd296f1c61bc68c01678e439fd2243b3d03449
Link:
https://www.unpac.me/results/119eb8d5-bc53-458c-81f1-b2f82b8178d9/
SH256 hash:
190f30cb4355cd97b811584e7c2a3f8d67d490bf0b445e9ed738cdf6ac243ff7
MD5 hash:
a31e652fc739f487e8eaa69d9a1827e2
SHA1 hash:
21bcee7a6a9255f18275b9b6d09fe44caa4a6320
Link:
https://www.unpac.me/results/119eb8d5-bc53-458c-81f1-b2f82b8178d9/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b03cb23646de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b03cb23646dee8bd2b487c19017ed4bdcc7779e76fc27e016c73048cd9f311af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe b03cb23646dee8bd2b487c19017ed4bdcc7779e76fc27e016c73048cd9f311af

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3518568/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3511779/
Cape
Cape
https://www.capesandbox.com/analysis/5186/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments