MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7f4e1aba81ad7714da4487dd279cc886b50428116b614c9ebe246d937c478f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 56 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7f4e1aba81ad7714da4487dd279cc886b50428116b614c9ebe246d937c478f0
SHA3-384 hash: c3c60c163a03aa9f1167a0775b4fb1f0fee8f480f151a0d8cee00d069930c22f3f72c8a0bf37224cb174a6117e1fa012
SHA1 hash: 65b2a84fdb30e0a1e94c2b2ae1c75093093c77a0
MD5 hash: 57f12202d24edea1d98cc4ffcbd6b9c6
humanhash: july-diet-maryland-victor
File name:1c7f4e1aba81ad7714da4487dd279cc886b50428116b6.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:5'221'888 bytes
First seen:2025-08-23 08:00:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 98304:nb32noKQfZrHVbfub6nloi8DbTqgIWKm77LrwkEpX:nDpb+6l2DagIeLsl
Threatray 2'032 similar samples on MalwareBazaar
TLSH T16A36D0017B958D01E16A1B36C2BB4504777BAC425672FF0B79A876AD1D2E3C3AC18F87
TrID 56.9% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
15.6% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.2% (.EXE) InstallShield setup (43053/19/16)
6.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
3.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
Magika pebin
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
87.242.106.13:54193

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
87.242.106.13:54193 https://threatfox.abuse.ch/ioc/1573029/

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4336ceb4997f432cde6090d7cf2cf13236b64179320341dc9eb518cfb56e3268.exe
Verdict:
Malicious activity
Analysis date:
2025-08-23 07:47:01 UTC
Tags:
ims-api generic
Link:
https://app.any.run/tasks/2cbcff36-5f37-426a-8466-cd2e5a0c8dc3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/23130/
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Redline-9871569-1
Create hunting rule

Win.Malware.Generic-9883083-0
Create hunting rule

Win.Malware.Bulz-9933026-0
Create hunting rule

Win.Packed.Msilmamut-9950860-0
Create hunting rule

Win.Packed.Uztuby-9963900-0
Create hunting rule

Win.Packed.Uztuby-9969968-0
Create hunting rule

Win.Malware.Uztuby-9972880-0
Create hunting rule

Win.Trojan.DarkKomet-9976180-0
Create hunting rule

Win.Packed.njRAT-10002074-1
Create hunting rule

Win.Packed.Msilzilla-10002982-0
Create hunting rule

Win.Trojan.Uztuby-10010740-0
Create hunting rule

Win.Packed.Msilzilla-10019837-0
Create hunting rule

Win.Packed.Loveletter-10023052-0
Create hunting rule

Win.Dropper.Nanocore-10024427-0
Create hunting rule

Win.Packed.Loveletter-10024677-0
Create hunting rule

Win.Packed.Msilzilla-10024808-0
Create hunting rule

Win.Packed.Msilzilla-10026193-0
Create hunting rule

Win.Packed.Msilzilla-10026194-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.QuasarStealer.UNOFFICIAL
Create hunting rule

Win.Malware.Generic-6623004-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a975586eed937d746d30c4
Tags:
vmdetect asyncrat autorun quasar
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Creating a file in the system32 subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Creating a service
Enabling the 'hidden' option for recently created files
Launching a service
Creating a file in the Program Files subdirectories
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Setting a single autorun event
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/c7f4e1aba81ad7714da4487dd279cc886b50428116b614c9ebe246d937c478f0
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-14T20:17:00Z UTC
Last seen:
2025-08-14T20:17:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/c7f4e1aba81ad7714da4487dd279cc886b50428116b614c9ebe246d937c478f0/results?tab=lookup
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/08d2aeec-b4ba-4731-b09f-73bde9b79ecf
Result
Threat name:
DCRat, KeyLogger, Quasar, XWorm
Create hunting rule
Detection:
malicious
Classification:
bank.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1763507
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Drops PE files with benign system names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a browser helper object (BHO)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Yara detected Keylogger Generic
Yara detected Quasar RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1763507 Sample: 1c7f4e1aba81ad7714da4487dd2... Startdate: 23/08/2025 Architecture: WINDOWS Score: 100 97 tcp.cloudpub.ru 2->97 99 ip-api.com 2->99 109 Suricata IDS alerts for network traffic 2->109 111 Found malware configuration 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 23 other signatures 2->115 11 1c7f4e1aba81ad7714da4487dd279cc886b50428116b6.exe 4 2->11         started        14 GameBar.exe 2->14         started        17 FyoOOC2pst0HeB3F5.exe 2->17         started        19 5 other processes 2->19 signatures3 process4 file5 75 C:\Users\user\AppData\Local\...\svchost64.exe, PE32 11->75 dropped 77 C:\Users\user\AppData\...\explorer64.exe, PE32 11->77 dropped 79 1c7f4e1aba81ad7714...b50428116b6.exe.log, ASCII 11->79 dropped 21 svchost64.exe 4 11->21         started        25 explorer64.exe 9 8 11->25         started        151 Creates an undocumented autostart registry key 14->151 153 Creates multiple autostart registry keys 14->153 155 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->155 157 Installs a global keyboard hook 14->157 159 Antivirus detection for dropped file 17->159 161 Multi AV Scanner detection for dropped file 17->161 signatures6 process7 file8 69 C:\Users\user\AppData\Local\...\svchost.exe, PE32 21->69 dropped 71 C:\Users\user\AppData\Local\...\explorer.exe, PE32 21->71 dropped 117 Antivirus detection for dropped file 21->117 119 Multi AV Scanner detection for dropped file 21->119 121 Drops PE files with benign system names 21->121 27 svchost.exe 3 6 21->27         started        31 explorer.exe 15 6 21->31         started        73 C:\Windows\System32\SubDirbehaviorgraphameBar.exe, PE32 25->73 dropped 123 Creates an undocumented autostart registry key 25->123 125 Drops executables to the windows directory (C:\Windows) and starts them 25->125 127 Creates an autostart registry key pointing to binary in C:\Windows 25->127 129 3 other signatures 25->129 34 GameBar.exe 25->34         started        36 ugXnoV1ajnhi3yTrCwFh.exe 25->36         started        38 schtasks.exe 25->38         started        40 3 other processes 25->40 signatures9 process10 dnsIp11 81 C:\driverNet\msblockinto.exe, PE32 27->81 dropped 83 C:\...\bvElR9l3e6M3DQU5UdF6aCm2nAId.bat, ASCII 27->83 dropped 85 C:\...\9uzsvDMU6rzTiSa2KoESj40IXyhi3x.vbe, data 27->85 dropped 135 Multi AV Scanner detection for dropped file 27->135 42 wscript.exe 27->42         started        101 ip-api.com 208.95.112.1, 49691, 80 TUT-ASUS United States 31->101 87 C:\Users\Public\Discord.exe, PE32 31->87 dropped 137 Antivirus detection for dropped file 31->137 139 System process connects to network (likely due to code injection or exploit) 31->139 141 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->141 149 6 other signatures 31->149 45 powershell.exe 31->45         started        103 tcp.cloudpub.ru 87.242.106.13, 49692, 49693, 49695 MASTERHOST-ASMoscowRussiaRU Russian Federation 34->103 143 Creates an undocumented autostart registry key 34->143 145 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->145 147 Installs a global keyboard hook 34->147 47 schtasks.exe 34->47         started        49 conhost.exe 38->49         started        51 conhost.exe 40->51         started        53 conhost.exe 40->53         started        55 conhost.exe 40->55         started        file12 signatures13 process14 signatures15 131 Windows Scripting host queries suspicious COM object (likely to drop second stage) 42->131 57 cmd.exe 42->57         started        133 Loading BitLocker PowerShell Module 45->133 59 conhost.exe 45->59         started        61 conhost.exe 47->61         started        process16 process17 63 msblockinto.exe 57->63         started        67 conhost.exe 57->67         started        file18 89 C:\driverNet\oRWiyut7lkhfIKs.exe, PE32 63->89 dropped 91 C:\Windows\...\Wd1N9S9Q5Z27J0ONmwbJ.exe, PE32 63->91 dropped 93 C:\Windows\SKB\...\ugXnoV1ajnhi3yTrCwFh.exe, PE32 63->93 dropped 95 11 other malicious files 63->95 dropped 105 Multi AV Scanner detection for dropped file 63->105 107 Creates processes via WMI 63->107 signatures19
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c7f4e1aba81ad7714da4487dd279cc886b50428116b614c9ebe246d937c478f0
Verdict:
QuasarRat
YARA:
26 match(es)
Tags:
.Net .Net Obfuscator .Net Reactor Executable Fody/Costura Packer Html Malicious Managed .NET njRat Obfuscated PDB Path PE (Portable Executable) PE File Layout QuasarRat RAT SOS: 0.00 SOS: 0.16 SOS: 0.19 SOS: 0.20 SOS: 0.22 SOS: 0.23 SOS: 0.25 SOS: 0.26 SOS: 0.27 SOS: 0.29 SOS: 0.32 SOS: 0.34 SOS: 0.35 SOS: 0.63 SOS: 0.90 SOS: 0.97 VBScript Encoded Win 32 Exe WScript.Shell x86 XWorm
Malware Config
C2 Extraction:
CNC: tcp.cloudpub.ru
PORT: 54193
Link:
https://app.malva.re/file/57f12202d24edea1d98cc4ffcbd6b9c6
Detection:
shortloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c7f4e1aba81ad7714da4487dd279cc886b50428116b614c9ebe246d937c478f0/
Threat name:
Win32.Backdoor.XWormRat
Create hunting rule
Status:
Malicious
First seen:
2025-08-15 01:09:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
81
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y72odk5idllxctnejb65e6omrbvvaqubc23bjspl4jdnsn6epdya._file
Verdict:
malicious
Label(s):
dcrat
Create hunting rule
xworm
Create hunting rule
unc_loader_051
Create hunting rule
Similar samples:
3900163fd89de58034a893e72448e0f823e2e3c676f93cf62ac65dcbf33bc5fa
XWorm
99b71c75c4569e2c56a8ff077642b35f103dec1423c826257b4ca3771ce8ea5a
XWorm
b6a65d6e226aba1b1efa9e9ad1ea768fcfd092b96fbaf52bc3800ac68ee03a15
XWorm
d5e3adb146e7b49bef24ad7fd2982f2c1d927da3bdcb5c440d531fa7a7de6d16
XWorm
dd71110a6b7fb79b2949280611957646f76503f1bda866b06e74b9a74e54dc89
XWorm
error
XWorm
f7c3d2971549106f2c2aa449210164d7c5e80d3beeb867e5092b7087d3a160a8
XWorm
+ 2'022 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:quasar family:xworm botnet:ricijo discovery execution infostealer persistence privilege_escalation rat spyware trojan
Link:
https://tria.ge/reports/250823-jwml6stms5/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
SmartAssembly .NET packer
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Creates new service(s)
DCRat payload
DcRat
Dcrat family
Detect Xworm Payload
Process spawned unexpected child process
Quasar RAT
Quasar family
Quasar payload
Xworm
Xworm family
Malware Config
C2 Extraction:
tcp.cloudpub.ru:54193
Verdict:
Malicious
Tags:
rat quasar_rat xworm Win.Trojan.Uztuby-9855059-0
YARA:
EXE_RAT_XWorm_April2024 MALWARE_Win_XWorm MAL_QuasarRAT_May19_1 malware_windows_quasarrat win_mal_XWorm win_xworm_bytestring
Link:
https://app.threat.zone/submission/979dcee5-d6e8-49c6-b10f-3c4782967c35
Unpacked files
SH256 hash:
c7f4e1aba81ad7714da4487dd279cc886b50428116b614c9ebe246d937c478f0
MD5 hash:
57f12202d24edea1d98cc4ffcbd6b9c6
SHA1 hash:
65b2a84fdb30e0a1e94c2b2ae1c75093093c77a0
Detections:
win_xworm_w0
Create hunting rule
QuasarRAT
Create hunting rule
Link:
https://www.unpac.me/results/4c0bbfba-ff01-4b00-a240-689720eb3fd3/
SH256 hash:
dd71110a6b7fb79b2949280611957646f76503f1bda866b06e74b9a74e54dc89
MD5 hash:
dc16ed5b1c1cbbaf35179701b1f4035e
SHA1 hash:
ec8e01c61fcea9d0560b31786e7eef37a0409fe3
Detections:
win_xworm_w0
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
win_xworm_bytestring
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/4c0bbfba-ff01-4b00-a240-689720eb3fd3/
Parent samples :
c7f4e1aba81ad7714da4487dd279cc886b50428116b614c9ebe246d937c478f0
dd71110a6b7fb79b2949280611957646f76503f1bda866b06e74b9a74e54dc89
SH256 hash:
c29b8c089386c964ea2f63e79e78fc57abbe732b3b8366827218858b0ed7c256
MD5 hash:
229eead018d5239fec9bc7dea6aea973
SHA1 hash:
c810a3db8824a891adfede933079020bcf105df2
Detections:
win_xworm_w0
Create hunting rule
win_xworm_bytestring
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/4c0bbfba-ff01-4b00-a240-689720eb3fd3/
Parent samples :
c7f4e1aba81ad7714da4487dd279cc886b50428116b614c9ebe246d937c478f0
c29b8c089386c964ea2f63e79e78fc57abbe732b3b8366827218858b0ed7c256
dd71110a6b7fb79b2949280611957646f76503f1bda866b06e74b9a74e54dc89
SH256 hash:
dbf2476b04ae66c2eb361fdea361c62778286823b60feea32cdbc15d59d024d3
MD5 hash:
6f4c9a1cca54d89aeba6e2528340189e
SHA1 hash:
36e1648600892661b6858c0ad15122f2a674dda9
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4c0bbfba-ff01-4b00-a240-689720eb3fd3/
Parent samples :
c7f4e1aba81ad7714da4487dd279cc886b50428116b614c9ebe246d937c478f0
dd71110a6b7fb79b2949280611957646f76503f1bda866b06e74b9a74e54dc89
SH256 hash:
0cfc66e78885ccb36151d2a8621b9c2c4c151d91a0a7415ce511c47a19f94f81
MD5 hash:
b048aa9ab2da46f94d6196d022c61507
SHA1 hash:
f3c3533fc6c74cb6f5b1029a0a9dfb9d8d65528a
Detections:
QuasarRAT
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
MAL_BackNet_Nov18_1
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Link:
https://www.unpac.me/results/4c0bbfba-ff01-4b00-a240-689720eb3fd3/
SH256 hash:
dfa20714b2f1dc7ac80f14e3f8a963310a5696e6450beb5ff3ad8f125a9c6590
MD5 hash:
8d9506eae43f59fcb680aab8ad001420
SHA1 hash:
5753ab6f572e96e64fd2cd5aa2d7800dc18e95ed
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/4c0bbfba-ff01-4b00-a240-689720eb3fd3/
Parent samples :
6ade40b71ee50ca95629aaa593bc8f48335ff0eee6c47c3a1dcaacbd9f1eaf42
1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274
c849031f8576f268c802695c5c6d87a8ba88c4a7abbdd66a6f0582d06eaca41e
371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0
098a170344a4ca7efe3e0c8b48c25a64fe0570b68eb0f3032c229e81597c1fbc
ba61b838a6b159d1d8f6fbbd1c80016fe7277225d1847de9ae50d0d83b29f9f1
b27cdbd5705c56034999011911997559d5eecb66e2e0d8b8c9aa843fe05d1627
e9f868d54dc0cda5bd4e13ad4fb6c7861b339024cd28daf0dc8eb9ee69a405fe
f14e979398839caddd543261a8e9773bcd5a95d9f433e113ecdc8605cd3b2393
647194fc5716bcdebe9b20e13b3f08e7816d13530a15e8d1669f2f25ba628274
ee9e68394df17b14d2190d46257445f427bc43d4e02be9f26bf6236b17fe0052
2f0ff1a3573cb45775b709b1e8df418ff7adcc5b678a52a768d02933b6174ca6
c7f4e1aba81ad7714da4487dd279cc886b50428116b614c9ebe246d937c478f0
dd71110a6b7fb79b2949280611957646f76503f1bda866b06e74b9a74e54dc89
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c7f4e1aba81a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7f4e1aba81ad7714da4487dd279cc886b50428116b614c9ebe246d937c478f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:Check_Dlls
Create hunting rule
Rule name:Costura_Protobuf
Create hunting rule
Author:@bartblaze
Description:Identifies Costura and Protobuf in .NET assemblies, respectively for storing resources and (de)serialization. Seen together might indicate a suspect binary.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:dcrat_
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked dcrat malware samples.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:EXE_RAT_XWorm_April2024
Create hunting rule
Author:Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Description:Detects QuasarRAT malware
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win32_dotnet_obfuscate
Create hunting rule
Author:Reedus0
Description:Rule for detecting .NET obfuscated malware
Rule name:windows_encryptor_APOS
Create hunting rule
Author:CICS, Jan Dubs
Description:APOS RaaS Windows Encryptor
Reference:https://github.com/Neo23x0/yarGen
Rule name:win_rat_generic
Create hunting rule
Author:Reedus0
Description:Rule for detecting generic RAT malware
Rule name:win_stealer_generic
Create hunting rule
Author:Reedus0
Description:Rule for detecting generic stealer malware
Rule name:win_xworm_bytestring
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects bytestring present in unobfuscated xworm
Rule name:win_xworm_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:xworm
Create hunting rule
Author:jeFF0Falltrades
Rule name:xworm_kingrat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/23130/

Comments