MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c128a32876c2adbac6ebd2e5da76f3c03e8d6db44850bb60c7d4a1ebcfb29bb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c128a32876c2adbac6ebd2e5da76f3c03e8d6db44850bb60c7d4a1ebcfb29bb1
SHA3-384 hash: a118ef0cc8f3e591e748a634204cc7bee8cf415b6f54f51fe776948d44aa5e4533e6a611661423f5f34a9a26b92b2305
SHA1 hash: fa7263ca4ce2942510c0b433dcca573bb0808657
MD5 hash: f4985092b0e70641bd97fd6441f6bb56
humanhash: september-maryland-oven-autumn
File name:PO37025.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:605'184 bytes
First seen:2025-10-14 05:00:16 UTC
Last seen:2025-10-14 08:15:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Kj7jRcFJuZj8PQDqM/dmSyR5nsOghzshNQZulqbdvnJ5:Kj7jCFchfyRbgdGlqbF
Threatray 602 similar samples on MalwareBazaar
TLSH T13CD401983605E817D6268BB60271F37403BA5EE9B911D352EEEC3EEF79A9F405C50243
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
203.202.232.54:3310

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
203.202.232.54:3310 https://threatfox.abuse.ch/ioc/1614657/

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_c128a32876c2adbac6ebd2e5da76f3c03e8d6db44850bb60c7d4a1ebcfb29bb1.exe
Verdict:
Malicious activity
Analysis date:
2025-10-14 05:02:21 UTC
Tags:
evasion auto-startup xworm crypto-regex
Link:
https://app.any.run/tasks/4130624f-c62a-44e2-b310-1d0d8c5977f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32610/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68edd90c04e22ce9acd9c0f8
Tags:
spawn shell micro
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap lolbin msbuild obfuscated packed packed phishing ransomware ransomware reconnaissance regsvcs rezer0 roboski schtasks stego vbc vbnet xworm
Link:
https://www.filescan.io/uploads/68edd9074f3013c55e4cdf7b/reports/cde4bb92-e185-4a4e-bfdd-066b7404ff25/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c128a32876c2adbac6ebd2e5da76f3c03e8d6db44850bb60c7d4a1ebcfb29bb1
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-14T00:00:00Z UTC
Last seen:
2025-10-15T02:31:00Z UTC
Hits:
~100
Detections:
Backdoor.Agent.TCP.C&C Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Backdoor.MSIL.XWorm.a PDM:Trojan.Win32.Tasker.cust Trojan.Win32.Agent.sb Backdoor.MSIL.XWorm.b PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Taskun.gen
Link:
https://opentip.kaspersky.com/c128a32876c2adbac6ebd2e5da76f3c03e8d6db44850bb60c7d4a1ebcfb29bb1/results?tab=lookup
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a5b2ce36-277c-4331-be0d-4c4adcf6d56f
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1794455
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1794455 Sample: PO37025.exe Startdate: 14/10/2025 Architecture: WINDOWS Score: 100 69 ip-api.com 2->69 75 Suricata IDS alerts for network traffic 2->75 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 12 other signatures 2->81 9 PO37025.exe 4 2->9         started        13 PO37025.exe 2->13         started        15 PO37025.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 67 C:\Users\user\AppData\...\PO37025.exe.log, ASCII 9->67 dropped 93 Bypasses PowerShell execution policy 9->93 95 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->95 97 Uses schtasks.exe or at.exe to add and modify task schedules 9->97 99 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 9->99 19 PO37025.exe 16 8 9->19         started        24 powershell.exe 23 9->24         started        101 Antivirus detection for dropped file 13->101 103 Multi AV Scanner detection for dropped file 13->103 105 Adds a directory exclusion to Windows Defender 13->105 26 PO37025.exe 13->26         started        107 Injects a PE file into a foreign processes 15->107 28 powershell.exe 15->28         started        30 PO37025.exe 15->30         started        32 PO37025.exe 15->32         started        34 powershell.exe 17->34         started        36 PO37025.exe 17->36         started        38 PO37025.exe 17->38         started        signatures6 process7 dnsIp8 71 203.202.232.54, 3310, 49693 ACCESSSMART-ASAccessSmartSolutionsIndiaPvtLtdIN India 19->71 73 ip-api.com 208.95.112.1, 49690, 80 TUT-ASUS United States 19->73 65 C:\Users\user\AppData\Roaming\PO37025.exe, PE32 19->65 dropped 83 Protects its processes via BreakOnTermination flag 19->83 85 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->85 87 Adds a directory exclusion to Windows Defender 19->87 40 powershell.exe 23 19->40         started        43 powershell.exe 21 19->43         started        45 powershell.exe 19->45         started        47 schtasks.exe 19->47         started        49 conhost.exe 24->49         started        89 Loading BitLocker PowerShell Module 28->89 51 conhost.exe 28->51         started        53 WmiPrvSE.exe 28->53         started        55 conhost.exe 34->55         started        file9 signatures10 process11 signatures12 91 Loading BitLocker PowerShell Module 40->91 57 conhost.exe 40->57         started        59 conhost.exe 43->59         started        61 conhost.exe 45->61         started        63 conhost.exe 47->63         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c128a32876c2adbac6ebd2e5da76f3c03e8d6db44850bb60c7d4a1ebcfb29bb1
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.35 Win 32 Exe x86
Link:
https://app.malva.re/file/f4985092b0e70641bd97fd6441f6bb56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c128a32876c2adbac6ebd2e5da76f3c03e8d6db44850bb60c7d4a1ebcfb29bb1/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/c128a32876c2adbac6ebd2e5da76f3c03e8d6db44850bb60c7d4a1ebcfb29bb1
Threat name:
Win32.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2025-10-14 02:53:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yeukgkdwykw3vrxl2ls5u5xtya7i23nujbilwygh2sq6xt5stoyq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
xworm
Create hunting rule
Similar samples:
c128a32876c2adbac6ebd2e5da76f3c03e8d6db44850bb60c7d4a1ebcfb29bb1
XWorm
c77df447c372e2aa22b4fb528775f2ac2be22e0595f02ceb3c40c9944cf689d4
XWorm
d491c15add4aebfad993dc9eb7b21d5f00d373e1e4acab3b6393c9568bdb26bc
XWorm
ed9e2702e14b07eeafe408ab9d66d39abb1700e2f6cf4c175db48d741bd19cf8
XWorm
error
XWorm
faa2ffa4498542a73f97ca66525fe785788559665b0a553a322d5ccefa7bf473
XWorm
+ 592 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat trojan
Link:
https://tria.ge/reports/251014-fngjeadt2a/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
203.202.232.54:3310
Verdict:
Malicious
Tags:
External_IP_Lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/a9d6557a-c132-442a-a896-24ccafec6e69
Unpacked files
SH256 hash:
c128a32876c2adbac6ebd2e5da76f3c03e8d6db44850bb60c7d4a1ebcfb29bb1
MD5 hash:
f4985092b0e70641bd97fd6441f6bb56
SHA1 hash:
fa7263ca4ce2942510c0b433dcca573bb0808657
Link:
https://www.unpac.me/results/ebfbecbd-f919-4d4a-b81c-e490fb290d4d/
SH256 hash:
b794ed0c0c7d4499d0a2ffff67eb5b92dba83f4be7964591e9edad2755176511
MD5 hash:
2a576318d07470206dd7c45f7d896078
SHA1 hash:
3096b2a5ccd98583949a9f57842d5547b50bbc29
Link:
https://www.unpac.me/results/ebfbecbd-f919-4d4a-b81c-e490fb290d4d/
SH256 hash:
8b78e6311e5e51af3224ef7101e9e82a641d2406c641b46a07b3732f33f8bc46
MD5 hash:
460d8efc10cbe3559e03c52c2d9d7588
SHA1 hash:
77f28e127fb76ac84508efe8b13f351280f5d4d7
Detections:
win_xworm_a0
Create hunting rule
win_xworm_w0
Create hunting rule
XWorm
Create hunting rule
MAL_RANSOM_COVID19_Apr20_1
Create hunting rule
win_xworm_bytestring
Create hunting rule
win_xworm_simple_strings
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/ebfbecbd-f919-4d4a-b81c-e490fb290d4d/
SH256 hash:
724f7321b8886db2af43ea90f4f60654562eeb12ff025b11dda1e228b331c2e8
MD5 hash:
2850d43dd20b00be7c2ce9f1cb9cc1d6
SHA1 hash:
cf202ede14d828c8c2af43bd4bc4e5630087ab08
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ebfbecbd-f919-4d4a-b81c-e490fb290d4d/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c128a32876c2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c128a32876c2adbac6ebd2e5da76f3c03e8d6db44850bb60c7d4a1ebcfb29bb1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:EXE_RAT_XWorm_April2024
Create hunting rule
Author:Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:MAL_RANSOM_COVID19_Apr20_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects ransomware distributed in COVID-19 theme
Reference:https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Rule name:MAL_RANSOM_COVID19_Apr20_1_RID2ECC
Create hunting rule
Author:Florian Roth
Description:Detects ransomware distributed in COVID-19 theme
Reference:https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:win_xworm_bytestring
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects bytestring present in unobfuscated xworm
Rule name:win_xworm_simple_strings
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects simple strings present in unobfuscated xworm
Rule name:win_xworm_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:xworm_kingrat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/32610/

Comments