MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9e92d24fefd87f1817428ceb56e175ddcf19ecd96d80418824a553588aa6067. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 17

Intelligence 17 IOCs YARA 4 File information Comments

SHA256 hash:	c9e92d24fefd87f1817428ceb56e175ddcf19ecd96d80418824a553588aa6067
SHA3-384 hash:	814436530dd56eee36c8f1c477957fc43692e770933da8a97bd4b2f8a8787ffa477e2d28908f5bb9ba145e1a921019bd
SHA1 hash:	8a5d756207fe648d781384aca9cd86fc453d8a3e
MD5 hash:	26c8e87c30ade70473b9a9081d1ff040
humanhash:	helium-mango-connecticut-mississippi
File name:	c9e92d24fefd87f1817428ceb56e175ddcf19ecd96d80418824a553588aa6067
Download:	download sample
Signature	XWorm Create hunting rule
File size:	753'664 bytes
First seen:	2026-06-08 09:51:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'066 x AgentTesla, 20'010 x Formbook, 12'352 x SnakeKeylogger)
ssdeep	12288:Z91x7+Gi71e+QrtcUdeZAPHydz17Jp1Tv+KaHsg7tcbCQ3/hWHx0:5V+F7w+Qr0iPHyx7JptWKesgw3/hWR0
Threatray	134 similar samples on MalwareBazaar
TLSH	T180F412B873ADEB52CAB657B50E60C37613AA6E6DD911D3469EEDBCCB34193502900383
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe xworm

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

Link:

https://research.acce.ciphertechsolutions.com/results/5447372f-c265-443f-bd6d-0663e170447f/

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/69952/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a2690e6ae2f98c00a68cd71

Tags:

infosteal autorun rapid

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a file

Сreating synchronization primitives

Creating a process with a hidden window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

darkcloud krypt obfuscated packed vbnet

Link:

https://www.filescan.io/uploads/6a2690acbf16337e43bb37df/reports/b9040fcc-8d0d-41b2-84f5-a91904a2f970/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/c9e92d24fefd87f1817428ceb56e175ddcf19ecd96d80418824a553588aa6067

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-05-18T06:26:00Z UTC

Last seen:

2026-06-08T04:47:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/c9e92d24fefd87f1817428ceb56e175ddcf19ecd96d80418824a553588aa6067/results?tab=lookup

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a08f198e-193e-4fbf-aa53-9962e4df09d6

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c9e92d24fefd87f1817428ceb56e175ddcf19ecd96d80418824a553588aa6067

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c9e92d24fefd87f1817428ceb56e175ddcf19ecd96d80418824a553588aa6067/

Threat name:

Win32.Trojan.Kepavll

Status:

Malicious

First seen:

2026-05-18 15:34:24 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 36 (69.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zhus2jh67wd7dalufdhlk3qxlxopdhwns3maigecjjktlcfkmbtq._file

Verdict:

malicious

Label(s):

xworm

XWorm

7c26003b25a03f34ac2ddd11324d2501506ef7fa694cac3ec9d63717d3071783

XWorm

87d6e4f14c49abc1b9c37e8ad0db345db9caf35c2e4aa25a63f857d4aadc1faa

XWorm

8885f3e922ef08f8d1c4a0f45712de6b080a92b364ce9164ff31759cd531ead8

XWorm

c9e92d24fefd87f1817428ceb56e175ddcf19ecd96d80418824a553588aa6067

XWorm

error

XWorm

f6eb413e10a83ccf32477baf2c8d7d21c33e98a1b65755989487fbb5d941e6ff

XWorm

+ 124 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm discovery execution persistence rat trojan

Link:

https://tria.ge/reports/260608-lvs4nscv7t/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Adds Run key to start application

Drops startup file

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Detect Xworm Payload

Family: Xworm

Malware Config

C2 Extraction:

84.38.129.122:443

Unpacked files

SH256 hash:

c9e92d24fefd87f1817428ceb56e175ddcf19ecd96d80418824a553588aa6067

MD5 hash:

26c8e87c30ade70473b9a9081d1ff040

SHA1 hash:

8a5d756207fe648d781384aca9cd86fc453d8a3e

Link:

https://www.unpac.me/results/a790bac0-6239-4a92-850c-47f561c4f1ee/

SH256 hash:

154a9c700607e137f78b3d39c3830926e512a377dc156995316c8e317f69c275

MD5 hash:

428ff44ca0702c6370507cdafca2f4f2

SHA1 hash:

0791e78029fd0472116f9fb65846d0ca8848f40d

Detections:

win_xworm_w0

XWorm

Link:

https://www.unpac.me/results/a790bac0-6239-4a92-850c-47f561c4f1ee/

Parent samples :

c9e92d24fefd87f1817428ceb56e175ddcf19ecd96d80418824a553588aa6067
aa940c1b4d36e35870b5f400f63f3b86e9804043f447a06b372efc54a6ead17d

SH256 hash:

a8e9af5d5db01b452944e83f445f25e3d3d04275127f12f8c368053b23c58694

MD5 hash:

a9e32f0739d267f3ba035595a0a1558c

SHA1 hash:

13db8d9b4a34689ef263de6734dc38bb58f7f795

Link:

https://www.unpac.me/results/a790bac0-6239-4a92-850c-47f561c4f1ee/

SH256 hash:

7199ba39e15021b9ed21037e9c2d346f618bb5a8fb03a6bc0c92ad5811059c14

MD5 hash:

7bf0499db16bb004a94f51b8f44ddc16

SHA1 hash:

aa876c186af4fc0ff7e2bbc1235c8f384741202a

Link:

https://www.unpac.me/results/a790bac0-6239-4a92-850c-47f561c4f1ee/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c9e92d24fefd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c9e92d24fefd87f1817428ceb56e175ddcf19ecd96d80418824a553588aa6067

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/69952/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample