MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5df131373e2480d28873f9a2df7d4eadf0020267d3300ef0d2e7f6e282226ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5df131373e2480d28873f9a2df7d4eadf0020267d3300ef0d2e7f6e282226ed
SHA3-384 hash: 26059babdc504f643ed291dabd97805c7cd235c8979d0b297da9b1422ad01521dbdfd6541af2bdcf2d1e715829469f3e
SHA1 hash: 82007fcce44e9f20b2de8143f80c242a787da735
MD5 hash: 0f3228b29832e4ef86cabdad4b4ac02a
humanhash: sad-video-leopard-whiskey
File name:XWorm_DNS_Crypter.exe
Download: download sample
File size:3'133'895 bytes
First seen:2023-07-08 16:50:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a66290ff0511a09df9cdce9b6ea86e77 (2 x XWorm, 1 x AsyncRAT, 1 x VenomRAT)
ssdeep 49152:ytNOLw16fDtAvJIkkCBJroBdDv6Lj9ukvTBvj4T7Nx2Yn68c:y9hJIkkCBJroBdDv6Lj9uGx4T7Nx2YnI
Threatray 411 similar samples on MalwareBazaar
TLSH T181E5F9436ACB0DA6CED66BB461D31335A778FD61CB2A5F3F6A08C63419536C4AD1AF00
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter ULTRAFRAUD
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
AT AT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
XWorm_DNS_Crypter.exe
Verdict:
Malicious activity
Analysis date:
2023-07-08 16:52:55 UTC
Tags:
xworm
Link:
https://app.any.run/tasks/292f15c3-eae6-44f6-be39-ecb640b83b1a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/412163/
Detection(s):
SecuriteInfo.com.HEUR.Trojan.PowerShell.Generic.15721.3639.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Running batch commands
Launching a process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Creating a file in the %temp% directory
Changing a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/96604/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug overlay
Link:
https://www.filescan.io/uploads/64a993f782e04d158394a187/reports/e400c90d-b2b9-40c5-b964-ac1b405ed6b5/overview
Verdict:
Suspicious
Labled as:
Trojan.PowerShell
Link:
https://www.hybrid-analysis.com/sample/b5df131373e2480d28873f9a2df7d4eadf0020267d3300ef0d2e7f6e282226ed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7b93e652-631c-4d17-a3e1-b22412e5156b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5df131373e2480d28873f9a2df7d4eadf0020267d3300ef0d2e7f6e282226ed/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wxprge3t4jea2kehh6nc356u5lpqaibgpuzqb3ynfz7w4kbce3wq._file
Verdict:
malicious
Similar samples:
0c46021aa8d5a1164ee93248ea12f42e05612006943fb9bf32d2d4fbd4a9dcbc
7af153ac40fe111dc312c90544b1e6c2c7ffbd5cc116eea719cfd52d6027e35a
8208cfaf613e0faa2922695a85ce126e1c1f9f8c86a8826ec27d2711f5f580da
8e8f5453c938c96bc1599782b134f57a1e897cc3d2813f8c162e7dafbf791dc9
9800bef9d4936ee96d4872fb686121dd7209f8b529e9bdc833c4fe54bb68f5c8
a44e7420e441548adddf0d79cc51e46211ebfa7dde08e5c95211eb3f95d0e570
cf0b088eebc8a8f34701f9fc9146a45296fc0f002e2c660a519b5b3b1d9e2bc8
ef69f3e6161a2dbecefb9b991023e062877415ad1c1be084e6d331a91a74e596
+ 401 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230708-vcs6dsgg2v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Adds Run key to start application
Drops startup file
Executes dropped EXE
Blocklisted process makes network request
Unpacked files
SH256 hash:
b5df131373e2480d28873f9a2df7d4eadf0020267d3300ef0d2e7f6e282226ed
MD5 hash:
0f3228b29832e4ef86cabdad4b4ac02a
SHA1 hash:
82007fcce44e9f20b2de8143f80c242a787da735
Link:
https://www.unpac.me/results/c8808546-754f-4e49-90bc-5bc4c0f9dadf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b5df131373e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b5df131373e2480d28873f9a2df7d4eadf0020267d3300ef0d2e7f6e282226ed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe b5df131373e2480d28873f9a2df7d4eadf0020267d3300ef0d2e7f6e282226ed

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/412163/
  
URLhaus
https://urlhaus.abuse.ch/url/2678878/
  
Delivery method
Distributed via web download

Comments