MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9eafb27a205336cacc59320dc6679381efd45f51679072c961d34dd18cf6b38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 19


Intelligence 19 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9eafb27a205336cacc59320dc6679381efd45f51679072c961d34dd18cf6b38
SHA3-384 hash: 1522f0d418866eedde193e919fd971f2a744d0187d5cd880fd836ac14383674ca9a24b670051b87561671ec221a76a83
SHA1 hash: a9554982fe713e690b01b8c4b21d058a4879177f
MD5 hash: 4cbfafefb84d89aa4dc6d57c7dd196d7
humanhash: april-carolina-blossom-undress
File name:Fa7654er5t6y7009876545678901.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:974'848 bytes
First seen:2025-08-26 14:58:32 UTC
Last seen:2025-09-01 12:41:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1895460fffad9475fda0c84755ecfee1 (340 x Formbook, 87 x AgentTesla, 56 x a310Logger)
ssdeep 24576:/5EmXFtKaL4/oFe5T9yyXYfP1ijXdamjVxT:/PVt/LZeJbInQRam
Threatray 335 similar samples on MalwareBazaar
TLSH T169259E027391C062FFAB92734B5AF6115BBC79260123E62F13981D79BE701B1563E7A3
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter threatcat_ch
Tags:exe xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Fa7654er5t6y7009876545678901.exe
Verdict:
Malicious activity
Analysis date:
2025-08-26 15:10:57 UTC
Tags:
auto-startup xworm remote auto generic stealer
Link:
https://app.any.run/tasks/a7096f46-b56e-4b3c-8007-5fbe03be8919

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/23710/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68adcbdeeb163e0ec182cd2f
Tags:
autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Loading a suspicious library
Connection attempt to an infection source
Sending a TCP request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context autoit compiled-script fingerprint keylogger microsoft_visual_cc obfuscated packed packed packer_detected threat
Link:
https://www.filescan.io/uploads/68adcdb97137d684583e1253/reports/4385a7a8-b288-4ef3-9fdf-fdc8e9517be8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/c9eafb27a205336cacc59320dc6679381efd45f51679072c961d34dd18cf6b38
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-26T10:50:00Z UTC
Last seen:
2025-08-26T10:50:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/c9eafb27a205336cacc59320dc6679381efd45f51679072c961d34dd18cf6b38/results?tab=lookup
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/79ca4251-b071-45c0-970c-9dc8eba44215
Result
Threat name:
Chrome Injector, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1765530
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Chrome Injector
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1765530 Sample: Fa7654er5t6y7009876545678901.exe Startdate: 26/08/2025 Architecture: WINDOWS Score: 100 92 beacons.gvt2.com 2->92 94 beacons.gcp.gvt2.com 2->94 96 beacons-handoff.gcp.gvt2.com 2->96 118 Suricata IDS alerts for network traffic 2->118 120 Found malware configuration 2->120 122 Malicious sample detected (through community Yara rule) 2->122 124 12 other signatures 2->124 11 Fa7654er5t6y7009876545678901.exe 6 2->11         started        15 wscript.exe 1 2->15         started        17 msedge.exe 2->17         started        signatures3 process4 dnsIp5 80 C:\Users\user\AppData\Local\...\croc.exe, PE32 11->80 dropped 150 Binary is likely a compiled AutoIt script file 11->150 152 Found API chain indicative of sandbox detection 11->152 20 croc.exe 3 11->20         started        154 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->154 24 croc.exe 2 15->24         started        90 239.255.255.250 unknown Reserved 17->90 26 msedge.exe 17->26         started        29 msedge.exe 17->29         started        31 msedge.exe 17->31         started        33 3 other processes 17->33 file6 signatures7 process8 dnsIp9 74 C:\Users\user\AppData\Roaming\...\croc.vbs, data 20->74 dropped 126 Multi AV Scanner detection for dropped file 20->126 128 Binary is likely a compiled AutoIt script file 20->128 130 Drops VBS files to the startup folder 20->130 136 2 other signatures 20->136 35 RegSvcs.exe 3 7 20->35         started        132 Writes to foreign memory regions 24->132 134 Maps a DLL or memory area into another process 24->134 40 RegSvcs.exe 1 24->40         started        100 s-part-0012.t-0009.t-msedge.net 13.107.246.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->100 102 ln-0007.ln-msedge.net 150.171.22.17 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->102 108 33 other IPs or domains 26->108 104 ax-0002.ax-dc-msedge.net 150.171.29.11 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->104 106 edge-microsoft-com.ax-0002.ax-msedge.net 29->106 file10 signatures11 process12 dnsIp13 98 198.12.126.169, 49691, 8823 AS-COLOCROSSINGUS United States 35->98 76 a1bef242-16b3-46e6-9d92-bc53acb594a3.exe, PE32+ 35->76 dropped 78 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 35->78 dropped 138 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->138 42 a1bef242-16b3-46e6-9d92-bc53acb594a3.exe 8 35->42         started        45 a1bef242-16b3-46e6-9d92-bc53acb594a3.exe 35->45         started        48 chrome.exe 7 35->48         started        51 2 other processes 35->51 file14 signatures15 process16 dnsIp17 140 Multi AV Scanner detection for dropped file 42->140 142 Writes to foreign memory regions 42->142 144 Allocates memory in foreign processes 42->144 53 conhost.exe 42->53         started        55 chrome.exe 42->55         started        82 \Device\ConDrv, ASCII 45->82 dropped 146 Creates a thread in another existing process (thread injection) 45->146 148 Injects a PE file into a foreign processes 45->148 57 msedge.exe 45->57         started        59 conhost.exe 45->59         started        84 192.168.2.5, 443, 49675, 49691 unknown unknown 48->84 86 192.168.2.14 unknown unknown 48->86 88 3 other IPs or domains 48->88 61 chrome.exe 48->61         started        64 chrome.exe 48->64         started        66 chrome.exe 48->66         started        68 chrome.exe 48->68         started        70 2 other processes 51->70 file18 signatures19 process20 dnsIp21 72 WerFault.exe 57->72         started        110 www.google.com 142.250.80.36 GOOGLEUS United States 61->110 112 play.google.com 64->112 114 beacons.gvt2.com 64->114 116 2 other IPs or domains 64->116 process22
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c9eafb27a205336cacc59320dc6679381efd45f51679072c961d34dd18cf6b38
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9eafb27a205336cacc59320dc6679381efd45f51679072c961d34dd18cf6b38/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/c9eafb27a205336cacc59320dc6679381efd45f51679072c961d34dd18cf6b38
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2025-08-26 13:46:52 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zhvpwj5cauzwzlgfsmqnyztzhapp2rpvcz4qolewdu2n2ggpnm4a._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
0faf94a24b00a7dca3cb0e26b29b0c3f72f66e2f968d997ad45e74620efeb11b
XWorm
6331ca8b268d2426749f0e579dad36513fd5d8f2489abdea7fac083109546459
XWorm
90934a7223298d694ec80a01da6b1f869e399db5d6bdea8d87db2473c76142a3
XWorm
92465a1c7629bb10ce9f67b667871537887a281b66a90dd4d481612111d3dd63
XWorm
bbeb60069be1fdb21ef420628bb1294bcdac1441d29cf3c91cbc2dfd7e7e07c1
XWorm
c9eafb27a205336cacc59320dc6679381efd45f51679072c961d34dd18cf6b38
XWorm
e240d5ca88066c12c5f144bebec43d9a4ee76b577419b5a7350149b81635ed2c
XWorm
error
XWorm
fd9dbcc0a59475ba77d799f67faeefe4264cbdec6b1a45180bd6104568a5ac52
XWorm
+ 325 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery rat trojan
Link:
https://tria.ge/reports/250826-sha6na1kw2/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
AutoIT Executable
Suspicious use of SetThreadContext
Drops startup file
Executes dropped EXE
Loads dropped DLL
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
198.12.126.169:8823
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/05585776-9aef-4b08-bccf-4eccee98f6c5
Unpacked files
SH256 hash:
c9eafb27a205336cacc59320dc6679381efd45f51679072c961d34dd18cf6b38
MD5 hash:
4cbfafefb84d89aa4dc6d57c7dd196d7
SHA1 hash:
a9554982fe713e690b01b8c4b21d058a4879177f
Link:
https://www.unpac.me/results/b0ac22f2-fc2f-4c9a-8aee-005bc8374163/
SH256 hash:
84871e0cf7929873b74b4a4f9cf42a413367d731fc3c0e3b323a2aca178a2de7
MD5 hash:
803000a491d3693b30fe2b897107ea12
SHA1 hash:
e7d74ccefd060cf413296fef742bb5d3c37c8725
Detections:
win_xworm_a0
Create hunting rule
win_xworm_w0
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/b0ac22f2-fc2f-4c9a-8aee-005bc8374163/
Parent samples :
c9eafb27a205336cacc59320dc6679381efd45f51679072c961d34dd18cf6b38
f78a4b9fa0ff5147d158e0fe48daf3b6b8f2de9e9e8b824d70c6af392e489487
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c9eafb27a205/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_xworm_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:xworm
Create hunting rule
Author:jeFF0Falltrades
Rule name:xworm_kingrat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Executable exe c9eafb27a205336cacc59320dc6679381efd45f51679072c961d34dd18cf6b38

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23710/

Comments