MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9a71562e105fe4d78286dd788465a07d7200aa4a66daae81d3f4630eef120b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9a71562e105fe4d78286dd788465a07d7200aa4a66daae81d3f4630eef120b9
SHA3-384 hash: 05f4e700253b71a697325de4704439a04527d3533bebf9c19d669daae150f3a7ba4198ea693f79d037a8338016bfe869
SHA1 hash: 8578bfe443d2bce14eb7ae53b9ed3d3075bdf73a
MD5 hash: 07b1c5ffb8171949b4c39eda2ef3aa3e
humanhash: hot-lima-spaghetti-spring
File name:Payload.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:126'117 bytes
First seen:2025-08-06 08:26:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a60e2f996367d3f0f40289c655d2d075 (6 x XWorm, 1 x AsyncRAT, 1 x StormKitty)
ssdeep 1536:V9YkAylEILayNqYj0OxqhXBGWMMzNzFO0n7j/YtoX52c0PD8au4q3Fs1Td2:VONzIHNq/O4bLhzFOGj/g7wau4csL2
Threatray 1'647 similar samples on MalwareBazaar
TLSH T16EC3083AF21EE23BD12589B46C140BDC10F995B8F0CB660AD3451B6A27B15B2BF7C647
TrID 77.2% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter Joker
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
53
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payload.exe
Verdict:
Malicious activity
Analysis date:
2025-08-06 08:28:33 UTC
Tags:
evasion auto-reg telegram auto-startup remote xworm crypto-regex ims-api generic
Link:
https://app.any.run/tasks/0cfd638f-6852-41f7-853c-7a76e47457b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19147/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689311c611d7f9b979e5fe34
Tags:
asyncrat autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% directory
Launching a process
Enabling the 'hidden' option for recently created files
Setting a keyboard event handler
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
overlay visual_basic
Link:
https://www.filescan.io/uploads/689311c79ef4d2ff7ced9f96/reports/d590b07a-de04-4b63-a060-dbd5a4aea844/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d9a71562e105fe4d78286dd788465a07d7200aa4a66daae81d3f4630eef120b9
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1aabe7ed-7421-4a22-bf26-ba50e7b69821
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d9a71562e105fe4d78286dd788465a07d7200aa4a66daae81d3f4630eef120b9
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) Visual Basic Visual Basic 6 Win 32 Exe x86
Link:
https://app.malva.re/file/07b1c5ffb8171949b4c39eda2ef3aa3e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9a71562e105fe4d78286dd788465a07d7200aa4a66daae81d3f4630eef120b9/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/d9a71562e105fe4d78286dd788465a07d7200aa4a66daae81d3f4630eef120b9
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2025-08-06 08:27:38 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3gtrkyxbax7e26binxlyqrs2a7lsacveuzw2v2a5h5ddb3xrec4q._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
1f204b43acfdf5d1088f37b2159d98d5500bdaeec99cd3f0d6e8ceb77282351b
XWorm
3da7ec5adf7c0051c6d7b028f1c192bb005dc03b05db805cd217a75e8e40a6e8
XWorm
64a3b19eb4e95eb953413d60ceabf46b451920790778a19f166922b6c3f89e50
XWorm
de45688e4a32f960e80c89d166f4f8240c8894106f4bf66be4d4e4af59c6f6b2
XWorm
error
XWorm
fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43
XWorm
+ 1'637 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery rat trojan
Link:
https://tria.ge/reports/250806-kb7x2stwgt/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Looks up external IP address via web service
Executes dropped EXE
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
192.159.99.244:1023
Verdict:
Malicious
Tags:
External_IP_Lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/660d6e78-e286-486f-bfa8-092d517014df
Unpacked files
SH256 hash:
d9a71562e105fe4d78286dd788465a07d7200aa4a66daae81d3f4630eef120b9
MD5 hash:
07b1c5ffb8171949b4c39eda2ef3aa3e
SHA1 hash:
8578bfe443d2bce14eb7ae53b9ed3d3075bdf73a
Link:
https://www.unpac.me/results/07f198e4-6945-4783-92eb-cc6f7c26d19a/
SH256 hash:
969eb35bab8844572929ccf3490725598ed25359f53426cb42fb9e153b6bc101
MD5 hash:
a9d0b19766d1d9c075b4b9deb76c88f8
SHA1 hash:
2b417e63f72f6b955b07746874be9df8f14321f4
Link:
https://www.unpac.me/results/07f198e4-6945-4783-92eb-cc6f7c26d19a/
SH256 hash:
9a35640a74268106b4bf3d47485d85d58adc55063c6df48a4d3b465fb813bc55
MD5 hash:
3cc8c42e8b3595563973f56a055283b6
SHA1 hash:
2076f61c31a9a60ed7e9251e22fa0e6b359d82af
Link:
https://www.unpac.me/results/07f198e4-6945-4783-92eb-cc6f7c26d19a/
SH256 hash:
d1089653486d920c78385a568ee1197880cff25f75fea737eb0166a5721104a1
MD5 hash:
02812c44ce5d57cd3c62f4d33337c927
SHA1 hash:
6b1d3d6f226fb5366a69e58bad4efc8ee315ceca
Detections:
win_xworm_w0
Create hunting rule
XWorm
Create hunting rule
win_xworm_bytestring
Create hunting rule
win_xworm_simple_strings
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/07f198e4-6945-4783-92eb-cc6f7c26d19a/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d9a71562e105/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9a71562e105fe4d78286dd788465a07d7200aa4a66daae81d3f4630eef120b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/19147/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaSetSystemError
MSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaFileOpen
MSVBVM60.DLL::__vbaLateMemCallLd

Comments