MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2c2e544f194a210666d1d4008053bcea94cf65f8215b240b3f9deb03dba3ff4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2c2e544f194a210666d1d4008053bcea94cf65f8215b240b3f9deb03dba3ff4
SHA3-384 hash: 3fe8b6ae141de17f2b78fd8fc31706b232fe349cf411692b6633b6d2fb4e9b5d9de0552a72eaa019e4ac433e6b50379a
SHA1 hash: fe49de660872a2afaaaab5b0fe5fda8bb0352254
MD5 hash: 81801022976390a7f59b88743a5ca5f0
humanhash: iowa-pennsylvania-cold-item
File name:81801022976390a7f59b88743a5ca5f0.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:312'741 bytes
First seen:2025-08-06 10:35:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d17be67c8d0394c5c1b8e725359ed89 (5 x Adware.Generic, 4 x njrat, 3 x NanoCore)
ssdeep 6144:2RhsttBbb6TusrtjdPGA8lCH0r0OJpkSDGlKI7JCZxo0Hf:z5b4uU9LirJpkvxD0Hf
Threatray 1'648 similar samples on MalwareBazaar
TLSH T1C564E0C6F7C0C85FDB122332E62A63E98DE9D5C919FE1107869732721E0C5F5DA412E6
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10522/11/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon 31f0949aa8baaeb2 (1 x XWorm)
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
197.167.45.118:4444

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
197.167.45.118:4444 https://threatfox.abuse.ch/ioc/1564942/

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
81801022976390a7f59b88743a5ca5f0.exe
Verdict:
Malicious activity
Analysis date:
2025-08-06 10:36:36 UTC
Tags:
auto-reg auto-startup remote xworm crypto-regex
Link:
https://app.any.run/tasks/58ed08e1-e592-4af0-8817-27e3bfe88e5a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19189/
Detection(s):
Win.Packed.Msilzilla-10026194-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL
Create hunting rule

Win.Packed.njRAT-10002074-1
Create hunting rule

Win.Packed.Msilzilla-10002982-0
Create hunting rule

Win.Packed.Msilzilla-10019837-0
Create hunting rule

Win.Packed.Loveletter-10023052-0
Create hunting rule

Win.Packed.Loveletter-10024677-0
Create hunting rule

Win.Packed.Msilzilla-10026193-0
Create hunting rule

Win.Malware.Deepscan-10028866-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.CDKL.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6893301711d7f9b979e60ae2
Tags:
asyncrat autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
Creating a file in the %AppData% directory
Launching a process
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Query of malicious DNS domain
Connection attempt to an infection source
Setting a global event handler for the keyboard
Sending a TCP request to an infection source
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug installer microsoft_visual_cc overlay overlay xworm
Link:
https://www.filescan.io/uploads/689330159ef4d2ff7ceddb98/reports/7dc3bfcf-a5e2-4f5a-a8c1-82cef076a844/overview
Verdict:
Malicious
Labled as:
Dropper.Generic.Malware.SFL
Link:
https://www.hybrid-analysis.com/sample/d2c2e544f194a210666d1d4008053bcea94cf65f8215b240b3f9deb03dba3ff4
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b13ef36e-9c15-4d73-8d7d-0fa778ea0a30
Result
Threat name:
NeptuneRAT, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1751244
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Drops PE files to the startup folder
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected NeptuneRAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1751244 Sample: Xl71tfoW1u.exe Startdate: 06/08/2025 Architecture: WINDOWS Score: 100 77 bbyus.ooguy.com 2->77 89 Suricata IDS alerts for network traffic 2->89 91 Found malware configuration 2->91 93 Malicious sample detected (through community Yara rule) 2->93 95 17 other signatures 2->95 10 Xl71tfoW1u.exe 3 13 2->10         started        13 wininin.exe 2->13         started        16 wogoc.exe 2->16         started        18 18 other processes 2->18 signatures3 process4 file5 65 C:\Users\user\AppData\Local\...\wininiv.exe, PE32 10->65 dropped 67 C:\Users\user\AppData\Local\...\wininin.exe, PE32 10->67 dropped 69 C:\Users\user\AppData\Local\...\CheckCoin.exe, PE32+ 10->69 dropped 71 C:\Users\user\AppData\Local\Temp71ew5.6.vbs, data 10->71 dropped 20 wscript.exe 3 10->20         started        24 wininin.exe 1 6 10->24         started        27 wscript.exe 3 10->27         started        29 2 other processes 10->29 111 Antivirus detection for dropped file 13->111 113 Multi AV Scanner detection for dropped file 13->113 signatures6 process7 dnsIp8 53 C:\Users\user\AppData\Roaming\...\sys32.EXE, PE32 20->53 dropped 55 C:\ProgramData\sys32.exe, PE32 20->55 dropped 97 Drops PE files to the startup folder 20->97 99 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->99 31 sys32.exe 20->31         started        79 bbyus.ooguy.com 197.167.45.118, 3333, 4444, 49717 LINKdotNET-ASEG Egypt 24->79 57 C:\Users\user\AppData\Roaming\wininin.exe, PE32 24->57 dropped 101 Antivirus detection for dropped file 24->101 103 Multi AV Scanner detection for dropped file 24->103 105 Creates multiple autostart registry keys 24->105 107 Uses schtasks.exe or at.exe to add and modify task schedules 24->107 35 schtasks.exe 24->35         started        59 C:\Users\user\AppData\Roaming\...\sysason.EXE, PE32 27->59 dropped 61 C:\ProgramData\sysason.exe, PE32 27->61 dropped 37 sysason.exe 27->37         started        63 C:\Users\user\AppData\Local\Temp\wogoc.exe, PE32 29->63 dropped 109 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->109 39 schtasks.exe 29->39         started        file9 signatures10 process11 file12 73 C:\Users\user\AppData\Roaming\winlogoc.exe, PE32 31->73 dropped 81 Antivirus detection for dropped file 31->81 83 Multi AV Scanner detection for dropped file 31->83 85 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->85 41 schtasks.exe 31->41         started        43 conhost.exe 35->43         started        75 C:\Users\user\AppData\Roaming\sysason.exe, PE32 37->75 dropped 87 Creates multiple autostart registry keys 37->87 45 schtasks.exe 37->45         started        47 conhost.exe 39->47         started        signatures13 process14 process15 49 conhost.exe 41->49         started        51 conhost.exe 45->51         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d2c2e544f194a210666d1d4008053bcea94cf65f8215b240b3f9deb03dba3ff4
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/81801022976390a7f59b88743a5ca5f0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2c2e544f194a210666d1d4008053bcea94cf65f8215b240b3f9deb03dba3ff4/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/d2c2e544f194a210666d1d4008053bcea94cf65f8215b240b3f9deb03dba3ff4
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-06-24 20:09:07 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
29 of 36 (80.56%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2lbokrhrssrbaztndvaaqbj3z2uuz5s7qik3eqft7hplapn2h72a._file
Verdict:
malicious
Label(s):
cashrat
Create hunting rule
xworm
Create hunting rule
Similar samples:
29813f8d594c96b7049442e1c365e2a9162709950cb19b642eeaccef34c4f39b
XWorm
7f6eacd84180c9f8e7147154d02ad0154718af1ea0780f5cd9775823912f30fa
XWorm
c029d185a694aa636fc5a085a2d1d77fe084a40d8c162740a1ef4868c9ce91eb
XWorm
d2c2e544f194a210666d1d4008053bcea94cf65f8215b240b3f9deb03dba3ff4
XWorm
ed8bd59c514a257fd97b34500a3aa6c177878272e468aeea3c8ddfa64f244312
XWorm
error
XWorm
+ 1'638 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:neptunerat family:xworm discovery execution persistence rat trojan
Link:
https://tria.ge/reports/250806-mm6kgavwdx/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Detect Xworm Payload
Detects NeptuneRAT stealer
NeptuneRAT, MasonRAT
Neptunerat family
Xworm
Xworm family
Malware Config
C2 Extraction:
bbyus.ooguy.com:3333
bbyus.ooguy.com:4444
Verdict:
Malicious
Tags:
Win.Packed.Msilzilla-10026194-0
YARA:
n/a
Link:
https://app.threat.zone/submission/99ff9248-c76d-4c09-9b68-9c70678251ab
Unpacked files
SH256 hash:
d2c2e544f194a210666d1d4008053bcea94cf65f8215b240b3f9deb03dba3ff4
MD5 hash:
81801022976390a7f59b88743a5ca5f0
SHA1 hash:
fe49de660872a2afaaaab5b0fe5fda8bb0352254
Link:
https://www.unpac.me/results/41cf28b1-0e60-4b1e-9cd2-5bf1ff8a0e1c/
SH256 hash:
54d3c3820d5dd4ad19a35aaef5b991fb5c2c417f70ce13c8e7f5fda6c11af1c1
MD5 hash:
a8cc455aa3ab32ff0cb5384c5594d0b8
SHA1 hash:
0e06c450368e31b088da725d663609814fa20691
Detections:
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/41cf28b1-0e60-4b1e-9cd2-5bf1ff8a0e1c/
SH256 hash:
ce7cc85686e407b906b5c28230b3f83a9f6a448b9a2c7122f6ddff52c7ba09ed
MD5 hash:
d046592af6c2e0f3df05d9609ff3fe1c
SHA1 hash:
346197ad9ca0b2294c0d8eb9724c5bf01cbbb124
Detections:
win_xworm_w0
Create hunting rule
win_xworm_bytestring
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/41cf28b1-0e60-4b1e-9cd2-5bf1ff8a0e1c/
SH256 hash:
d3d17298181eec362876e9f05757d2f282dccac7a4074a8e3589158038a97302
MD5 hash:
c30802b4db31df6154dc0d7f4e243915
SHA1 hash:
d309150998a6f27ea31c34ee061b3ce2dbb39c47
Link:
https://www.unpac.me/results/41cf28b1-0e60-4b1e-9cd2-5bf1ff8a0e1c/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d2c2e544f194/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2c2e544f194a210666d1d4008053bcea94cf65f8215b240b3f9deb03dba3ff4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/19189/

Comments