MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d08846cf35cb56da56be21201e7a056c30e98fa6fb5d778b61c483bd0cf7fd3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 15


Intelligence 15 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d08846cf35cb56da56be21201e7a056c30e98fa6fb5d778b61c483bd0cf7fd3e
SHA3-384 hash: c4e353c45c9447bb9455d6a877a244b85ffbca54a2a6bd1b8b24b8e7634d9007130fd31f00937cf51eacef2905398b93
SHA1 hash: f8c71cba20de377cad114135ca39de0f78bad14f
MD5 hash: fea8326c44126c59865da991d1e413a8
humanhash: oklahoma-two-oxygen-oklahoma
File name:file
Download: download sample
Signature XWorm
Create hunting rule
File size:1'466'880 bytes
First seen:2025-10-09 04:00:31 UTC
Last seen:2025-10-13 04:08:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 72487866dd8607fefbf04e680f4a3e24 (1 x XWorm, 1 x DarkCloud)
ssdeep 24576:682xrjmDFEvoEqmNNpG4AmSoE4iV8rTIsD+PR7XMaHWo:68erjmDeoEppG4AsiVYTIZzMaHWo
Threatray 740 similar samples on MalwareBazaar
TLSH T19365D019A87591D6FCD740B07B599252F4237D3BCF386AAB40E48B51121AEED0A3B337
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe xworm


Avatar
Bitsight
url: http://178.16.55.70/v3434.exe

Intelligence

File Origin
# of uploads :
24
# of downloads :
94
Origin country :
US US
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
d08846cf35cb56da56be21201e7a056c30e98fa6fb5d778b61c483bd0cf7fd3e.exe
Verdict:
Malicious activity
Analysis date:
2025-10-09 02:02:07 UTC
Tags:
stealer stealc vidar
Link:
https://app.any.run/tasks/a19ded12-847d-4f8f-9add-802910b5e446

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/31213/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e7179f277c2bd8bc5e1d90
Tags:
emotet cobalt
Result
Verdict:
Clean
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Behavior that indicates a threat
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68e7338dd4a0085473c4ed11/reports/6dbb413e-656a-4d2a-a30d-b7881cbc89cd/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/d08846cf35cb56da56be21201e7a056c30e98fa6fb5d778b61c483bd0cf7fd3e
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-08T23:21:00Z UTC
Last seen:
2025-10-11T02:26:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Stealerc.HTTP.C&C Trojan.Win32.Injuke.pdgi PDM:Trojan.Win32.Generic Trojan-PSW.Vidar.HTTP.C&C Trojan-PSW.Stealerc.TCP.C&C
Link:
https://opentip.kaspersky.com/d08846cf35cb56da56be21201e7a056c30e98fa6fb5d778b61c483bd0cf7fd3e/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1129ecbf-a274-43e6-9684-f705777ef287
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d08846cf35cb56da56be21201e7a056c30e98fa6fb5d778b61c483bd0cf7fd3e
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/fea8326c44126c59865da991d1e413a8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d08846cf35cb56da56be21201e7a056c30e98fa6fb5d778b61c483bd0cf7fd3e/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/d08846cf35cb56da56be21201e7a056c30e98fa6fb5d778b61c483bd0cf7fd3e
Threat name:
Win64.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-09 03:54:18 UTC
File Type:
PE+ (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ceentzvznlnuvv6eeqb46qfnqyotd5g7noxpc3bysb32dhx7u7a._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
64cad1ccb76a7413eaad9330f1e5ad44269c0b51098e83053bf0e13039f81b0d
XWorm
81d322befe2fb9594401df99bba21b530b75feb0a505a64c67839d93df9fac50
XWorm
a441e76246ce6a7f26b8fef2f6a759672928d09cdfce7ba503701915fd69fb88
XWorm
a5abb6a6dcbd0e5a11bc7788b06ed3f9ec916ab742da913056161a0baaea09a5
XWorm
af0b1df56ccc89a58a1e3693379e032daa1ce83d29bb6428ad7a187eb216eb2a
XWorm
b858650183698417edd3c9679935c88d3c4ae4d905566a2757ee1afb0e6383cb
XWorm
be68f32481e1551531f9c2ae9322870aa30e48224fb0ad1f4468b04ec07374c0
XWorm
d08846cf35cb56da56be21201e7a056c30e98fa6fb5d778b61c483bd0cf7fd3e
XWorm
e439378ca0ca70865ce01d9e795927bd542ee929db1671509555c4fc82c3e65d
XWorm
error
XWorm
+ 730 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:njrat family:quasar family:xworm botnet:chrome botnet:default botnet:hacked defense_evasion discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/251009-elca8syvbz/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Drops startup file
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Async RAT payload
AsyncRat
Asyncrat family
Detect Xworm Payload
Njrat family
Quasar RAT
Quasar family
Quasar payload
Xworm
Xworm family
njRAT/Bladabindi
Malware Config
C2 Extraction:
178.16.55.70:6000
178.16.55.70:5552
178.16.55.70:4449
178.16.55.70:4782
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fee13c5c-f0d5-400c-8925-28139d18209b
Unpacked files
SH256 hash:
d08846cf35cb56da56be21201e7a056c30e98fa6fb5d778b61c483bd0cf7fd3e
MD5 hash:
fea8326c44126c59865da991d1e413a8
SHA1 hash:
f8c71cba20de377cad114135ca39de0f78bad14f
Link:
https://www.unpac.me/results/4979beb2-95ae-4d65-8272-071863a18746/
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d08846cf35cb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d08846cf35cb56da56be21201e7a056c30e98fa6fb5d778b61c483bd0cf7fd3e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Debugger
Create hunting rule
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HUNTING_SUSP_TLS_SECTION
Create hunting rule
Author:chaosphere
Description:Detect PE files with .tls section that can be used for anti-debugging
Reference:Practical Malware Analysis - Chapter 16
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe d08846cf35cb56da56be21201e7a056c30e98fa6fb5d778b61c483bd0cf7fd3e

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/31213/
  
URLhaus
https://urlhaus.abuse.ch/url/3615435/

Comments