MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dffb6dc781261370654389e525a629ab9368b2fca8ffb545b879adce237ec3dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dffb6dc781261370654389e525a629ab9368b2fca8ffb545b879adce237ec3dd
SHA3-384 hash: ae68444ac85992aee0dbfa6ae9aca78e23b4b3457ec499da5e34980afe815e38ae9bd6e4aa6c9c7672dc67819fdfaeba
SHA1 hash: 33cce04e1fc9b643028c19c53bba664ebc2c4790
MD5 hash: dc47751324c7008990cc3aa2c012ee40
humanhash: florida-football-batman-triple
File name:v999f8.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:882'688 bytes
First seen:2025-06-16 12:54:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8035424c0cddf72a240c7dfefe26c35f (14 x LummaStealer, 2 x ResolverRAT, 2 x Vidar)
ssdeep 24576:BGdrP0Gpf+xkfYZnz1tOlTuH/KWZsrLtkoFQmY5S+BJ:VGlHwZqUHvseo3mS+BJ
TLSH T1E415AF3AA25261EAED1680B70551A151F9A3F93287382FFF0390D3321E07BC95F6D769
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
461
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
TempEHTUCHSR42Z1ARYNM2QHPSEEDSDIR54A.EXE
Verdict:
Malicious activity
Analysis date:
2025-06-16 01:22:55 UTC
Tags:
amadey botnet stealer loader rdp telegram vidar lumma auto
Link:
https://app.any.run/tasks/47e2f916-9b10-4d39-9ae8-a88cd34ec843

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9686/
Detection(s):
Win.Packed.Agen-10045323-0
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6850143b07b5e8c1cfe6e9fb
Tags:
virus crypt zusy
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/dffb6dc781261370654389e525a629ab9368b2fca8ffb545b879adce237ec3dd
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3e961589-bfcb-4945-ad1e-614c5d80388e
Result
Threat name:
AsyncRAT, LummaC Stealer, Njrat, Quasar,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1715535
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Check if machine is in data center or colocation facility
Compiles code for process injection (via .Net compiler)
Connects to many ports of the same IP (likely port scanning)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected LummaC Stealer
Yara detected Njrat
Yara detected Powershell decode and execute
Yara detected Quasar RAT
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1715535 Sample: v999f8.exe Startdate: 16/06/2025 Architecture: WINDOWS Score: 100 98 t.me 2->98 100 ip-api.com 2->100 102 7 other IPs or domains 2->102 130 Suricata IDS alerts for network traffic 2->130 132 Malicious sample detected (through community Yara rule) 2->132 134 Antivirus detection for dropped file 2->134 136 16 other signatures 2->136 10 v999f8.exe 1 2->10         started        signatures3 process4 signatures5 148 Writes to foreign memory regions 10->148 150 Allocates memory in foreign processes 10->150 152 Injects a PE file into a foreign processes 10->152 13 MSBuild.exe 55 10->13         started        18 conhost.exe 10->18         started        process6 dnsIp7 106 t.me 149.154.167.99, 443, 49714, 49793 TELEGRAMRU United Kingdom 13->106 108 19.171.learnblockchain101.com 49.12.119.95, 443, 49715, 49716 HETZNER-ASDE Germany 13->108 110 66.63.187.164, 1649, 49758, 49764 ASN-QUADRANET-GLOBALUS United States 13->110 90 C:\Users\user\AppData\Local\...\ss542[1].exe, PE32 13->90 dropped 92 C:\Users\user\AppData\Local\...\n84991[1].exe, PE32 13->92 dropped 94 C:\Users\user\AppData\Local\...\l8890f[1].exe, PE32+ 13->94 dropped 96 9 other malicious files 13->96 dropped 154 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->154 156 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->156 158 Encrypted powershell cmdline option found 13->158 160 4 other signatures 13->160 20 iect2v37yc.exe 13->20         started        23 89zcba1nym.exe 13->23         started        25 powershell.exe 22 13->25         started        28 30 other processes 13->28 file8 signatures9 process10 dnsIp11 138 Multi AV Scanner detection for dropped file 20->138 140 Writes to foreign memory regions 20->140 142 Allocates memory in foreign processes 20->142 31 MSBuild.exe 20->31         started        35 conhost.exe 20->35         started        144 Injects a PE file into a foreign processes 23->144 48 2 other processes 23->48 84 C:\Users\user\AppData\...\dw4tbzfu.cmdline, Unicode 25->84 dropped 146 Compiles code for process injection (via .Net compiler) 25->146 37 csc.exe 3 25->37         started        40 conhost.exe 25->40         started        104 192.168.2.4, 138, 1649, 443 unknown unknown 28->104 86 C:\Users\user\AppData\Local\...\JQOMPH.exe, PE32 28->86 dropped 88 C:\Users\user\AppData\Local\...\vjqsygv5.0.cs, Unicode 28->88 dropped 42 csc.exe 28->42         started        44 csc.exe 28->44         started        46 csc.exe 28->46         started        50 26 other processes 28->50 file12 signatures13 process14 dnsIp15 112 escczlv.top 195.82.147.188, 443, 49761, 49762 DREAMTORRENT-CORP-ASRU Russian Federation 31->112 122 Query firmware table information (likely to detect VMs) 31->122 124 Tries to harvest and steal ftp login credentials 31->124 126 Tries to harvest and steal browser information (history, passwords, etc) 31->126 128 2 other signatures 31->128 68 C:\Users\user\AppData\Local\...\dw4tbzfu.dll, PE32 37->68 dropped 52 cvtres.exe 1 37->52         started        70 C:\Users\user\AppData\Local\...\dddjngp3.dll, PE32 42->70 dropped 54 cvtres.exe 42->54         started        72 C:\Users\user\AppData\Local\...\eljtmc4m.dll, PE32 44->72 dropped 56 cvtres.exe 44->56         started        74 C:\Users\user\AppData\Local\...\m4m2f0qj.dll, PE32 46->74 dropped 58 cvtres.exe 46->58         started        114 ip-api.com 208.95.112.1, 49767, 80 TUT-ASUS United States 48->114 116 apis.google.com 50->116 118 www.google.com 142.251.40.196, 443, 49728, 49731 GOOGLEUS United States 50->118 120 3 other IPs or domains 50->120 76 C:\Users\user\AppData\Local\...\ymvnyabs.dll, PE32 50->76 dropped 78 C:\Users\user\AppData\Local\...\xftw1dds.dll, PE32 50->78 dropped 80 C:\Users\user\AppData\Local\...\vjqsygv5.dll, PE32 50->80 dropped 82 8 other malicious files 50->82 dropped 60 cvtres.exe 50->60         started        62 cvtres.exe 50->62         started        64 cvtres.exe 50->64         started        66 8 other processes 50->66 file16 signatures17 process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dffb6dc781261370654389e525a629ab9368b2fca8ffb545b879adce237ec3dd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dffb6dc781261370654389e525a629ab9368b2fca8ffb545b879adce237ec3dd/
Threat name:
Win64.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2025-06-16 02:11:29 UTC
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=375w3r4beyjxazkdrhssljrjvojwrmx4vd73krnypgw44i36ypoq._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:njrat family:quasar family:vidar family:xworm botnet:635dd4c35cd7933809d615f71b6a598f botnet:google chrome botnet:hacked credential_access cryptone defense_evasion discovery packer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250616-p5xfmay1a1/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Drops startup file
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Uses browser remote debugging
CryptOne packer
Detect Vidar Stealer
Detect Xworm Payload
Njrat family
Quasar RAT
Quasar family
Quasar payload
Vidar
Vidar family
Xworm
Xworm family
njRAT/Bladabindi
Malware Config
C2 Extraction:
https://t.me/gu77xt
https://steamcommunity.com/profiles/76561199863931286
66.63.187.164:8594
66.63.187.164:8596
66.63.187.164:8595
Verdict:
Malicious
Tags:
Win.Packed.Agen-10045323-0 stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/87c9b7f9-c6ab-4955-ae14-07cfbc2be402
Unpacked files
SH256 hash:
dffb6dc781261370654389e525a629ab9368b2fca8ffb545b879adce237ec3dd
MD5 hash:
dc47751324c7008990cc3aa2c012ee40
SHA1 hash:
33cce04e1fc9b643028c19c53bba664ebc2c4790
Link:
https://www.unpac.me/results/38bae2bd-4972-4a19-be0c-4fbb445ba206/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dffb6dc781261370654389e525a629ab9368b2fca8ffb545b879adce237ec3dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe dffb6dc781261370654389e525a629ab9368b2fca8ffb545b879adce237ec3dd

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/9686/
  
URLhaus
https://urlhaus.abuse.ch/url/3562395/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThreadpoolWork
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments