MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 cf58d8b35860f544e31412542ac0fa1ec6f5f331dbbb20ea017e1d966860ba51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
XWorm
Vendor detections: 7
| SHA256 hash: | cf58d8b35860f544e31412542ac0fa1ec6f5f331dbbb20ea017e1d966860ba51 |
|---|---|
| SHA3-384 hash: | 875b0610cc801ca7c6b952aec849e18c67c4c4cbdf135815d535d443995f315e961dc6448a3cf836b57c17385ff60d2a |
| SHA1 hash: | a3dec31a1fa2be4fe4b645ba73b2362c9f9f8810 |
| MD5 hash: | 0ba4eb098832e56c510956541a714114 |
| humanhash: | lake-salami-hawaii-blossom |
| File name: | nRFQ_OUR_REF_RET-402-14365.tar |
| Download: | download sample |
| Signature | XWorm |
| File size: | 780'108 bytes |
| First seen: | 2026-07-14 15:00:16 UTC |
| Last seen: | Never |
| File type: | tar |
| MIME type: | application/x-rar |
| ssdeep | 12288:uXfy63hoE2MXvW1g18iiGpsZPHEwmjW/z1RxUn46MfhE5fd1ydco:aME2M+nbGpMkwSMzVUncf+5fry+o |
| TLSH | T15BF423F53BF4D4EE96A68909BB82767B4573E100839D898FD30A1B06B240D066EDEF15 |
| TrID | 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1) |
| Magika | rar |
| Reporter | |
| Tags: | tar xworm |
Intelligence
File Origin
# of uploads :
1
# of downloads :
77
Origin country :
USVendor Threat Intelligence
Verdict:
Malicious
Score:
91.7%
Tags:
infosteal autorun
Verdict:
Malicious
File Type:
rar
First seen:
2026-07-14T13:15:00Z UTC
Last seen:
2026-07-15T12:05:00Z UTC
Hits:
~10
Verdict:
inconclusive
YARA:
1 match(es)
Tags:
Rar Archive
Threat name:
ByteCode-MSIL.Infostealer.Pony
Status:
Malicious
First seen:
2026-07-14 02:40:12 UTC
File Type:
Binary (Archive)
Extracted files:
10
AV detection:
16 of 36 (44.44%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
xworm
Score:
10/10
Tags:
family:xworm discovery execution persistence rat trojan
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Family: Xworm
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.