MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d17dbd27deb737cb8e02e1c05823ec358c4a919cb36ec9f783845bad0d92e16a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d17dbd27deb737cb8e02e1c05823ec358c4a919cb36ec9f783845bad0d92e16a
SHA3-384 hash: 25af880525bae3b80eb557e8636039f772b7970f91c64e2cbd9da514dba4540c682ee4b021a93450dcde253d1887ce67
SHA1 hash: 72b43d6775dfbfa71ffb4e5a30a3f780b9840d5c
MD5 hash: 7bb60f32f20c888250e03193162b7f94
humanhash: oklahoma-avocado-cola-uncle
File name:v999f8.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:1'078'272 bytes
First seen:2025-07-04 13:06:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 655b5ffd004e9ca1cb767feab6e0bdb8 (4 x LummaStealer, 3 x Vidar, 2 x XWorm)
ssdeep 12288:5mJhruBJosdZa1a65jMPqH65OwRbrF51TCVrMgD84fEk1hIuGAUlVLtk1hIuGAUX:5yhrPsdAf4I0VCOuEjuGTBtjuGTB
TLSH T18F35C0399251A2D5FD6640BB4421A6947863B633CA392FFF4290E3336F17BD81F29319
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
17
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
dda5a29e3dab9f1725064663fc8d6e3032c72ca5aaf347c29f243d1e9b44ce0a.zip
Verdict:
Malicious activity
Analysis date:
2025-07-04 12:43:58 UTC
Tags:
arch-exec loader amadey botnet stealer vidar telegram rdp evasion lumma susp-powershell github stealc rust asyncrat rat remote purelogs purecrypter themida smokeloader confuser
Link:
https://app.any.run/tasks/2c1b3746-cb57-4011-8516-2d708d5c2e2d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12323/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6867d214900df8e7f866a9f7
Tags:
virus zusy
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context fingerprint microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/6867d20e9db85bde254ab014/reports/3b475ebc-fa2b-45ed-9bef-4380fc54df4f/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/d17dbd27deb737cb8e02e1c05823ec358c4a919cb36ec9f783845bad0d92e16a
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e8473c9f-622f-4e59-a84d-f45731f5189a
Result
Threat name:
LummaC Stealer, Njrat, Vidar, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1728828
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Check if machine is in data center or colocation facility
Compiles code for process injection (via .Net compiler)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected LummaC Stealer
Yara detected Njrat
Yara detected Vidar stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1728828 Sample: v999f8.exe Startdate: 04/07/2025 Architecture: WINDOWS Score: 100 106 cexpxg.xyz 2->106 108 xt.exifit.eu.org 2->108 110 30 other IPs or domains 2->110 130 Suricata IDS alerts for network traffic 2->130 132 Malicious sample detected (through community Yara rule) 2->132 134 Antivirus detection for dropped file 2->134 138 15 other signatures 2->138 10 v999f8.exe 2->10         started        13 msedge.exe 2->13         started        signatures3 136 Performs DNS queries to domains with low reputation 106->136 process4 dnsIp5 148 Contains functionality to inject code into remote processes 10->148 150 Writes to foreign memory regions 10->150 152 Allocates memory in foreign processes 10->152 154 Injects a PE file into a foreign processes 10->154 16 MSBuild.exe 54 10->16         started        120 239.255.255.250 unknown Reserved 13->120 156 Maps a DLL or memory area into another process 13->156 signatures6 process7 dnsIp8 100 t.me 149.154.167.99, 443, 49688 TELEGRAMRU United Kingdom 16->100 102 xt.exifit.eu.org 116.202.181.52, 443, 49690, 49691 HETZNER-ASDE Germany 16->102 104 2 other IPs or domains 16->104 88 C:\Users\user\AppData\Local\...\l8890f[1].exe, PE32+ 16->88 dropped 90 C:\Users\user\AppData\Local\...\q53212[1].exe, PE32 16->90 dropped 92 C:\Users\user\AppData\Local\...\x85899[1].exe, PE32 16->92 dropped 94 6 other malicious files 16->94 dropped 122 Attempt to bypass Chrome Application-Bound Encryption 16->122 124 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->124 126 Encrypted powershell cmdline option found 16->126 128 4 other signatures 16->128 21 powershell.exe 22 16->21         started        25 powershell.exe 16->25         started        27 chrome.exe 16->27         started        30 28 other processes 16->30 file9 signatures10 process11 dnsIp12 96 C:\Users\user\AppData\...\qcfobvhc.cmdline, Unicode 21->96 dropped 140 Writes to foreign memory regions 21->140 142 Compiles code for process injection (via .Net compiler) 21->142 144 Creates a thread in another existing process (thread injection) 21->144 32 csc.exe 3 21->32         started        35 conhost.exe 21->35         started        98 C:\Users\user\AppData\Local\...\jzpii02z.0.cs, Unicode 25->98 dropped 37 csc.exe 25->37         started        39 conhost.exe 25->39         started        118 192.168.2.6, 138, 1649, 443 unknown unknown 27->118 41 chrome.exe 27->41         started        146 Monitors registry run keys for changes 30->146 44 csc.exe 30->44         started        46 csc.exe 30->46         started        48 csc.exe 30->48         started        50 24 other processes 30->50 file13 signatures14 process15 dnsIp16 70 C:\Users\user\AppData\Local\...\qcfobvhc.dll, PE32 32->70 dropped 52 cvtres.exe 1 32->52         started        72 C:\Users\user\AppData\Local\...\jzpii02z.dll, PE32 37->72 dropped 54 cvtres.exe 37->54         started        112 apis.google.com 41->112 114 www.google.com 142.250.176.196, 443, 49703, 49706 GOOGLEUS United States 41->114 116 3 other IPs or domains 41->116 74 C:\Users\user\AppData\Local\...\fe3v0w3k.dll, PE32 44->74 dropped 56 cvtres.exe 44->56         started        76 C:\Users\user\AppData\Local\...\1qewsnen.dll, PE32 46->76 dropped 58 cvtres.exe 46->58         started        78 C:\Users\user\AppData\Local\...\3skorx2c.dll, PE32 48->78 dropped 60 cvtres.exe 48->60         started        80 C:\Users\user\AppData\Local\...\z1cuyy3j.dll, PE32 50->80 dropped 82 C:\Users\user\AppData\Local\...\wfxb2n0f.dll, PE32 50->82 dropped 84 C:\Users\user\AppData\Local\...\umwbdzmz.dll, PE32 50->84 dropped 86 7 other malicious files 50->86 dropped 62 cvtres.exe 50->62         started        64 cvtres.exe 50->64         started        66 cvtres.exe 50->66         started        68 8 other processes 50->68 file17 process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d17dbd27deb737cb8e02e1c05823ec358c4a919cb36ec9f783845bad0d92e16a
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/7bb60f32f20c888250e03193162b7f94
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d17dbd27deb737cb8e02e1c05823ec358c4a919cb36ec9f783845bad0d92e16a/
Threat name:
Win64.Spyware.Vidar
Create hunting rule
Status:
Suspicious
First seen:
2025-07-03 23:41:36 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
21 of 38 (55.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2f632j66w434xdqc4hafqi7mgwgevem4wnxmt54dqrn22dms4fva._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:njrat family:quasar family:vidar family:xworm botnet:814e138212b7cf5b94759d76ff0d8a41 botnet:google chrome botnet:hacked credential_access cryptone defense_evasion discovery execution packer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250704-qctppstn12/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Drops startup file
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Uses browser remote debugging
CryptOne packer
Detect Vidar Stealer
Detect Xworm Payload
Lumma Stealer, LummaC
Lumma family
Njrat family
Quasar RAT
Quasar family
Quasar payload
Vidar
Vidar family
Xworm
Xworm family
njRAT/Bladabindi
Malware Config
C2 Extraction:
https://t.me/q0l0o
https://steamcommunity.com/profiles/76561199872233764
https://cexpxg.xyz/airq
https://ycvduc.xyz/trie
https://nbcsfar.xyz/tpxz
https://cbakk.xyz/ajng
https://trsuv.xyz/gait
https://sqgzl.xyz/taoa
https://urarfx.xyz/twox
https://liaxn.xyz/nbzh
66.63.187.164:8594
66.63.187.164:8596
66.63.187.164:8595
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/aa544c00-6efa-4c05-a225-3e7bdb8ec762
Unpacked files
SH256 hash:
d17dbd27deb737cb8e02e1c05823ec358c4a919cb36ec9f783845bad0d92e16a
MD5 hash:
7bb60f32f20c888250e03193162b7f94
SHA1 hash:
72b43d6775dfbfa71ffb4e5a30a3f780b9840d5c
Link:
https://www.unpac.me/results/a94bdbbe-a33f-4500-b5ab-4c7a55550436/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d17dbd27deb737cb8e02e1c05823ec358c4a919cb36ec9f783845bad0d92e16a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe d17dbd27deb737cb8e02e1c05823ec358c4a919cb36ec9f783845bad0d92e16a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3562395/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/12323/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExA

Comments