MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0e8285f9d1c699ed9ee1185456601e703a7305ecdae05aaf732b96e6db5450b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0e8285f9d1c699ed9ee1185456601e703a7305ecdae05aaf732b96e6db5450b
SHA3-384 hash: c50a89220edb8a8daa99cac7c65afc5c832ff03a4885e48cc68176a6ad30e6b617ea49ccef9996b978cf56e3f8f7e431
SHA1 hash: 74e2b49136604282c7eaf9066c993e45a35b2fce
MD5 hash: 4541e7e77b39be572ebbffc177ee9407
humanhash: echo-iowa-apart-mars
File name:lpg.cmd
Download: download sample
Signature XWorm
Create hunting rule
File size:48'816 bytes
First seen:2024-09-24 10:04:10 UTC
Last seen:Never
File type:cmd cmd
MIME type:text/plain
ssdeep 768:0yWnyN9IbUZIYiztjyHg6QihA1WmmaMj17Hln1nVrY:0E9XqYwtWAb1DmdxLlnk
Threatray 1'164 similar samples on MalwareBazaar
TLSH T10423F17409402E6689F796688BEEA7DD836EE8E06356C1CCE791F0ED8E7D42FC530614
Magika powershell
Reporter JAMESWT_WT
Tags:bulletrdp-ru cmd xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BAT.Agent.AXJ.Eldorado.3242.218.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f28ed35346c7b922ad9a31
Tags:
Encryption Execution Network Stealth Obfuscate Corrupt Escape Gumen
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd lolbin powershell
Link:
https://www.filescan.io/uploads/66f28ed6775ab9bfb4713aeb/reports/b4ca546d-e9e1-4d23-8c9b-e5f3dca12752/overview
Verdict:
Malicious
Labled as:
Trojan/PS.Encpe
Link:
https://www.hybrid-analysis.com/sample/d0e8285f9d1c699ed9ee1185456601e703a7305ecdae05aaf732b96e6db5450b
Result
Verdict:
UNKNOWN
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1516548
Signature
AI detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Uses the Telegram API (likely for C&C communication)
Very long command line found
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1516548 Sample: lpg.cmd Startdate: 24/09/2024 Architecture: WINDOWS Score: 100 38 api.telegram.org 2->38 48 Suricata IDS alerts for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Yara detected XWorm 2->52 56 3 other signatures 2->56 9 cmd.exe 1 2->9         started        12 cmd.exe 1 2->12         started        signatures3 54 Uses the Telegram API (likely for C&C communication) 38->54 process4 signatures5 58 Very long command line found 9->58 60 Suspicious command line found 9->60 14 powershell.exe 14 30 9->14         started        19 conhost.exe 9->19         started        21 cmd.exe 1 9->21         started        23 conhost.exe 12->23         started        process6 dnsIp7 40 api.telegram.org 149.154.167.220, 443, 49716 TELEGRAMRU United Kingdom 14->40 42 2.56.245.123, 3501, 49717 GBTCLOUDUS Germany 14->42 36 C:\Users\user\AppData\Roaming\SC.cmd, ASCII 14->36 dropped 44 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->44 46 Suspicious powershell command line found 14->46 25 powershell.exe 37 14->25         started        28 powershell.exe 37 14->28         started        30 powershell.exe 28 14->30         started        file8 signatures9 process10 signatures11 62 Loading BitLocker PowerShell Module 25->62 32 conhost.exe 25->32         started        34 conhost.exe 28->34         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0e8285f9d1c699ed9ee1185456601e703a7305ecdae05aaf732b96e6db5450b/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-09-12 21:40:38 UTC
File Type:
Text (PowerShell)
AV detection:
4 of 24 (16.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ducqx45druz5wpocgcukzqb44b2omc6zwxalkxxgk4w43nviufq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
0b3cc97cc3d319b4b842a03d65dc9043d9eceeac779b85d9843b7665c8f58b22
XWorm
1e4b4acedbf740e9e613666c465c35262f8697911eea202b58de9b9bfc4fef0e
XWorm
3a5134cc11c7c47b7268e7bf6bf1556c5ff5044af54b7931cae652bfd8d83717
XWorm
416a2a9c374574f8fcb7f90e775069e7d4606c0155f964886096e41f45d16548
XWorm
c5fe997aedc79ebaf9b0615508ded3864f626f194fad492d3bbdd6148455c464
XWorm
f3831d6ca373f539fec77e975ae4fc26451bfb3113513813819ea1111f31a81a
XWorm
+ 1'154 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/240924-l4jatszgpr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d0e8285f9d1c699ed9ee1185456601e703a7305ecdae05aaf732b96e6db5450b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments