MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc7e6a188f1472b3acb0dafe7791732cfc437a6d34da4121e9b1d752c3fd73d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc7e6a188f1472b3acb0dafe7791732cfc437a6d34da4121e9b1d752c3fd73d0
SHA3-384 hash: 43d8ebe1d696558b8e4afaa4456b9c1d5eb32a20b06e76f9ab986edbed4466a7546689297fe77f3dfe9db70f4784f5a4
SHA1 hash: 756ba0e2b70232657e4eeb5e8c79fa16dd0e715b
MD5 hash: db7d4f0591ba5fb5b4a0152978ea3164
humanhash: mike-maine-chicken-equal
File name:SecuriteInfo.com.Win32.Evo-gen.82521843
Download: download sample
Signature XWorm
Create hunting rule
File size:4'608 bytes
First seen:2026-01-18 14:37:02 UTC
Last seen:2026-01-18 15:26:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 699cc9570c233cf12692f95447a4cdc0 (2 x CoinMiner, 1 x Rhadamanthys, 1 x LucaStealer)
ssdeep 48:6QZ4fdetwm33OTvvqzWiJbD2jqmOt89UsxaRjXeapZYFd3ojZ8y/rlT:xKd8wO3OTqCwbvg93xadewQd3ojHrl
Threatray 735 similar samples on MalwareBazaar
TLSH T10F91849BDA78ED8AC74F12B11A7315093A745363B6A1466CF9CC04FACF84650EF0B10C
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
FR FR
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.Evo-gen.82521843
Verdict:
Malicious activity
Analysis date:
2026-01-18 14:39:47 UTC
Tags:
auto-startup auto-reg remote xworm stealer rat pulsar evasion uac pyinstaller auto-sch crypto-regex python loader xor-url generic pythonddos
Link:
https://app.any.run/tasks/b5332d6f-7e13-43d5-a153-9a5f30aed75d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49229/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696cf03257243ef151ce1d10
Tags:
autorun virus shell sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/696cf033fdafd7624ab028a7/reports/b46587e1-d300-4ea8-9cca-1eebb3d5f741/overview
Verdict:
Malicious
Labled as:
Suspicious:I.Worm.Zhelatin.asbt.trqh
Link:
https://www.hybrid-analysis.com/sample/dc7e6a188f1472b3acb0dafe7791732cfc437a6d34da4121e9b1d752c3fd73d0
Result
Gathering data
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9294d667-1b3c-4ba7-b580-c175b0ee8fff
Score:
79%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dc7e6a188f1472b3acb0dafe7791732cfc437a6d34da4121e9b1d752c3fd73d0
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/db7d4f0591ba5fb5b4a0152978ea3164
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc7e6a188f1472b3acb0dafe7791732cfc437a6d34da4121e9b1d752c3fd73d0/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2026-01-18 14:37:36 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3r7gugepcrzlhlfq3l7hpeltft6eg6tngtnecipjwhlvfq75opia._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
unc_loader_063
Create hunting rule
Similar samples:
29357c4073984b7507649fedbe13d90202a8eaa342c8b367e154f700d93d1f7c
XWorm
6e2eb50e40575b545f1cd9c15e2701bb83217ceb8d495c91b3f2b13ba41071cd
XWorm
929ecd4f42f496059e77888c8f2604115733bcefdd21ad8563814eb4da65005f
XWorm
9851b1427be9e22a8d82180e024bcd03e231009793927983fea84362f69af759
XWorm
a5b6b39303894624a2a833522ccec4085eedb74667fc8438a97b1ea50417b6b7
XWorm
error
XWorm
+ 725 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:quasar family:xworm defense_evasion discovery execution persistence pyinstaller rat spyware trojan
Link:
https://tria.ge/reports/260118-rze1hafx5e/
Behaviour
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Downloads MZ/PE file
Detect Xworm Payload
Quasar RAT
Quasar family
Quasar payload
Xworm
Xworm family
Malware Config
C2 Extraction:
64.89.163.7:4455
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/17b4fac7-dff4-4464-bc35-065799d0874a
Unpacked files
SH256 hash:
dc7e6a188f1472b3acb0dafe7791732cfc437a6d34da4121e9b1d752c3fd73d0
MD5 hash:
db7d4f0591ba5fb5b4a0152978ea3164
SHA1 hash:
756ba0e2b70232657e4eeb5e8c79fa16dd0e715b
Link:
https://www.unpac.me/results/c2f4160f-d965-49e2-bd56-783f4e92ddca/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc7e6a188f14/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe dc7e6a188f1472b3acb0dafe7791732cfc437a6d34da4121e9b1d752c3fd73d0

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/49229/
  
URLhaus
https://urlhaus.abuse.ch/url/3759761/
  
Delivery method
Distributed via web download

Comments