MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cac592c52ef5289f7b25da2aa921749939ccf6d97b701df3488975ce9787ac40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cac592c52ef5289f7b25da2aa921749939ccf6d97b701df3488975ce9787ac40
SHA3-384 hash: fa579ffaa95ce7abb08e27d35a2934c69b10770de8ffdb3d94714bebd910e5bbaa3a60b0f501b25f3de759085a7906ec
SHA1 hash: 42f51bf6c1704ed580f0470d7849f1e749f365fe
MD5 hash: e5d043543f65a15be8d50df15989d9cc
humanhash: don-snake-enemy-massachusetts
File name:Payment Details,PDF.pif
Download: download sample
Signature XWorm
Create hunting rule
File size:102'912 bytes
First seen:2025-03-14 11:27:43 UTC
Last seen:2025-03-14 15:10:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'658 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 1536:WirinW8V5cz9kYDPrFV1snDyXqU3qqW2mkXuhbUR1c0bUup9a:7vx9kYFVQW6SLW2qhbo+0bU2A
Threatray 5'590 similar samples on MalwareBazaar
TLSH T1A8A3D60A37D4A705D59819BBC2E7457887E3AB8737B3D6893E4593CA4E013F48C8A7C9
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter threatcat_ch
Tags:exe xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
395
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cac592c52ef5289f7b25da2aa921749939ccf6d97b701df3488975ce9787ac40
Verdict:
Malicious activity
Analysis date:
2025-03-14 07:00:29 UTC
Tags:
opendir netreactor purecrypter remote xworm
Link:
https://app.any.run/tasks/baf40144-b1c0-46c3-8b8d-bfed1cc3f79e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d3d40c08116ce42571118f
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cryptor_detected masquerade net_reactor obfuscated obfuscated packed
Link:
https://www.filescan.io/uploads/67d412cf0a7899f35795e7d6/reports/7b2ca4f8-9cd5-4546-9fcf-e3bfe7bf07d2/overview
Verdict:
Malicious
Labled as:
RiskWare[Obfuscator]/MSIL.Reactor
Link:
https://www.hybrid-analysis.com/sample/cac592c52ef5289f7b25da2aa921749939ccf6d97b701df3488975ce9787ac40
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f03a6bef-14d1-48e0-a951-f49cde7b767d
Result
Threat name:
PureLog Stealer, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1638469
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1638469 Sample: Payment Details,PDF.pif.exe Startdate: 14/03/2025 Architecture: WINDOWS Score: 100 28 dr16899.ydns.eu 2->28 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 15 other signatures 2->38 8 Payment Details,PDF.pif.exe 15 4 2->8         started        signatures3 process4 dnsIp5 30 dr16899.ydns.eu 45.144.214.104, 49713, 80 HPC-MVM-ASHU Ukraine 8->30 26 C:\Users\...\Payment Details,PDF.pif.exe.log, ASCII 8->26 dropped 40 Encrypted powershell cmdline option found 8->40 42 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->42 13 powershell.exe 23 8->13         started        16 powershell.exe 15 8->16         started        18 Payment Details,PDF.pif.exe 8->18         started        file6 signatures7 process8 signatures9 44 Loading BitLocker PowerShell Module 13->44 20 conhost.exe 13->20         started        22 conhost.exe 16->22         started        24 WerFault.exe 4 18->24         started        process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cac592c52ef5289f7b25da2aa921749939ccf6d97b701df3488975ce9787ac40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cac592c52ef5289f7b25da2aa921749939ccf6d97b701df3488975ce9787ac40/
Threat name:
Win32.Exploit.PureLogStealer
Create hunting rule
Status:
Malicious
First seen:
2025-03-14 06:02:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zlczfrjo6uuj66zf3ivksilute44z5wzpnyb342irf245f4hvraa._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
01009403cd628b2c31c2d2fc7d565e99a7a8fef1093be004b6b6f64d2717275b
XWorm
0638ab8a2a8a1c7d8e7f5b5fd0b267d875a8298a166e929cc85bd69122657800
XWorm
1b72e6203b4d26cbe44b55e7df27b3477badd3270cf900bb13c2af47bed80516
XWorm
2e026a7538a02673cb6d0f7b3592c08d35a9a00cc94c553a7ac17a93533d81cd
XWorm
462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0
XWorm
7f1764a28d27f381701d9254166241607a37a02eb2fe80d682baf15236da5b7e
XWorm
8cefc39ae73f71f7bd55919b53a2208bfcdd01c4fceb0bc110b09e0db8fc85c0
XWorm
cac592c52ef5289f7b25da2aa921749939ccf6d97b701df3488975ce9787ac40
XWorm
error
XWorm
f187477e8a50704b32afbd5b4c8bae9fb10909137dbf87feaa89bb6d2f552f4f
XWorm
fae38184c5ffe7bc017485d6cd3340feb5ac7e67960e7e9599fa1901367dfce6
XWorm
+ 5'580 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion discovery rat trojan
Link:
https://tria.ge/reports/250314-nk2zyasq14/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Indicator Removal: File Deletion
Checks computer location settings
Detect Xworm Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm
Xworm family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c5666d08-1bfd-4a10-a785-f166d668f053
Unpacked files
SH256 hash:
cac592c52ef5289f7b25da2aa921749939ccf6d97b701df3488975ce9787ac40
MD5 hash:
e5d043543f65a15be8d50df15989d9cc
SHA1 hash:
42f51bf6c1704ed580f0470d7849f1e749f365fe
Link:
https://www.unpac.me/results/91646764-ec5d-45c8-8f14-55bb43223309/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cac592c52ef5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cac592c52ef5289f7b25da2aa921749939ccf6d97b701df3488975ce9787ac40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla
Create hunting rule
Author:Harish Kumar P
Description:Yara Rule to Detect AgentTesla
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Executable exe cac592c52ef5289f7b25da2aa921749939ccf6d97b701df3488975ce9787ac40

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments