MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce28ce80d5f620894c987bcbcf86e858fdc5a1635b8e26457cd87ef99999ef4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce28ce80d5f620894c987bcbcf86e858fdc5a1635b8e26457cd87ef99999ef4b
SHA3-384 hash: a3ab4c10dd3b8cd119900e3e07310bb20527d93ce40055f5c42e1e362789ac57b84a087c19093a3b0648a9d2f2d9d39d
SHA1 hash: c550485bbec4129fcae88c4495a5ae2720bcf0c1
MD5 hash: 88ffd982745aee807faabc135711c159
humanhash: carpet-nitrogen-four-may
File name:ce28ce80d5f620894c987bcbcf86e858fdc5a1635b8e2.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:1'785'344 bytes
First seen:2025-10-02 03:25:09 UTC
Last seen:2025-10-02 04:07:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'854 x AgentTesla, 19'783 x Formbook, 12'304 x SnakeKeylogger)
ssdeep 24576:Wcd7G2AwUQXZg7kjANQm+ukAGcOz7RKhkON09vbz3kGkiYMdHfbDsBb:WyGeUsXjxZukAGcywd09X0GHn/bQBb
TLSH T178853327FD22D1A9F10291B9AF31C8F1371D9B70FE2D4C1B5A97BB32693492C1569E20
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon b3b3b371716b93b3 (25 x CryptOne, 12 x RemcosRAT, 6 x RedLineStealer)
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
5.175.234.65:7000

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.175.234.65:7000 https://threatfox.abuse.ch/ioc/1605424/

Intelligence

File Origin
# of uploads :
4
# of downloads :
152
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ce28ce80d5f620894c987bcbcf86e858fdc5a1635b8e26457cd87ef99999ef4b.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-10-02 03:11:05 UTC
Tags:
auto-startup auto-reg dnguard babel amsi-bypass yano
Link:
https://app.any.run/tasks/7c70b94f-538e-40ba-8c27-2e6895e6369a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29858/
Detection(s):
Win.Dropper.Nanocore-10039742-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ddf0ad40b7da0b4eb977d8
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Launching a process
Creating a process with a hidden window
Connection attempt
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68ddf0ac74e5a289899d6906/reports/48236caa-9267-4e5d-a23b-2e140f3fe9bf/overview
Verdict:
Malicious
Labled as:
MSIL.Cassiopeia.Generic
Link:
https://www.hybrid-analysis.com/sample/ce28ce80d5f620894c987bcbcf86e858fdc5a1635b8e26457cd87ef99999ef4b
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-02T00:21:00Z UTC
Last seen:
2025-10-03T20:46:00Z UTC
Hits:
~10
Detections:
Backdoor.Agent.TCP.C&C Trojan.Win32.Agent.sb Trojan.MSIL.Agent.sb HEUR:Trojan-Ransom.MSIL.Blocker.gen HEUR:Trojan-Dropper.MSIL.Dapato.gen HEUR:Trojan.Win32.Generic PDM:Trojan.Win32.Generic Trojan-Dropper.Win32.Agent.sb VHO:Trojan-Dropper.Win32.Convagent.gen
Link:
https://opentip.kaspersky.com/ce28ce80d5f620894c987bcbcf86e858fdc5a1635b8e26457cd87ef99999ef4b/results?tab=lookup
Malware family:
ModernLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e3b62804-c3ca-4d91-bff1-4d511f9892b5
Result
Threat name:
n/a
Detection:
malicious
Classification:
adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1787812
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary or sample is protected by dotNetProtector
Drops PE files to the startup folder
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ce28ce80d5f620894c987bcbcf86e858fdc5a1635b8e26457cd87ef99999ef4b
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce28ce80d5f620894c987bcbcf86e858fdc5a1635b8e26457cd87ef99999ef4b/
Verdict:
Malicious
Threat:
ByteCode-MSIL.Malware.Heuristic
Link:
https://tip.neiki.dev/file/ce28ce80d5f620894c987bcbcf86e858fdc5a1635b8e26457cd87ef99999ef4b
Threat name:
ByteCode-MSIL.Trojan.Cassiopeia
Create hunting rule
Status:
Malicious
First seen:
2025-10-02 03:11:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
32 of 38 (84.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zyum5agv6yqisteyppf47bxild64lildlohcmrl43b7ptgmz55fq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
execution persistence
Link:
https://tria.ge/reports/251002-dywpzawsgt/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Verdict:
Malicious
Tags:
Win.Dropper.Nanocore-10039742-0
YARA:
n/a
Link:
https://app.threat.zone/submission/ea8e592f-7024-4830-a5ef-d01d6ee39938
Unpacked files
SH256 hash:
ce28ce80d5f620894c987bcbcf86e858fdc5a1635b8e26457cd87ef99999ef4b
MD5 hash:
88ffd982745aee807faabc135711c159
SHA1 hash:
c550485bbec4129fcae88c4495a5ae2720bcf0c1
Link:
https://www.unpac.me/results/152aa90e-b56a-4ad0-9a59-ce7fb1f3ea87/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce28ce80d5f620894c987bcbcf86e858fdc5a1635b8e26457cd87ef99999ef4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe ce28ce80d5f620894c987bcbcf86e858fdc5a1635b8e26457cd87ef99999ef4b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/29858/
  
URLhaus
https://urlhaus.abuse.ch/url/3639055/
  
Delivery method
Distributed via web download

Comments