MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e16da9378102610d816b5e0314ab1537201ba84f24119dbc6be68e8199180d0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e16da9378102610d816b5e0314ab1537201ba84f24119dbc6be68e8199180d0d
SHA3-384 hash: 88d9f0b2080d40b801143a5c3a4be1bddc3c8b784e622efd61062a8263e0c583ca3ee000b898c69f8af3534b6fa94285
SHA1 hash: d2f2a7f7abbfe524448dc87b8789e938cd768da6
MD5 hash: 80a1e0f8fa9262c2e21b2b4ab55945c0
humanhash: yellow-colorado-six-alaska
File name:rc.ps1
Download: download sample
Signature XWorm
Create hunting rule
File size:780 bytes
First seen:2025-04-13 18:22:03 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 24:dYCqkgIiwa6AIN1WP/6f2x2x/GSL2FAT6AzRf2pELtTFv:2Cq3Iiwa6VLc/6u8dbyCrRepmJFv
Threatray 66 similar samples on MalwareBazaar
TLSH T1E1012B1A3883E3346B524F6BBE6F69C4D01C165321C4A444B0FC8D8AFF39030BA99D1E
Magika powershell
Reporter JAMESWT_WT
Tags:92-255-85-2 booking ClickFix FakeCaptcha ps1 xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
193
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67fc0256d6e7c3effad1f327
Tags:
trojan virus sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive obfuscated
Link:
https://www.filescan.io/uploads/67fc00cfb070fb3f946327aa/reports/02a95007-a58d-4b60-8d12-7617dd8622d3/overview
Verdict:
Malicious
Labled as:
BZC.PZQ.Boxter.928
Link:
https://www.hybrid-analysis.com/sample/e16da9378102610d816b5e0314ab1537201ba84f24119dbc6be68e8199180d0d
Result
Threat name:
AsyncRAT, DcRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1664227
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Compiles code for process injection (via .Net compiler)
Contains functionality to capture screen (.Net source)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected DcRat
Behaviour
Behavior Graph:
Download SVG
Score:
1%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/e16da9378102610d816b5e0314ab1537201ba84f24119dbc6be68e8199180d0d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e16da9378102610d816b5e0314ab1537201ba84f24119dbc6be68e8199180d0d/
Threat name:
Script-PowerShell.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2025-04-11 23:12:22 UTC
File Type:
Text (PowerShell)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4fw2sn4bajqq3alllybrjkyvg4qbxkcpeqiz3pdl42hidgiybugq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
boratrat
Create hunting rule
Similar samples:
0f1073c5cacf5009f6097cf771b71ab18e3350fd445935ce72ac1b45fd175291
XWorm
125c9452b7bad6fc88ebd3bbc945cfb09ddd17143f6d86d2e9546da0ce55a4bb
XWorm
2934a9348fe15bcc85228667593a6e5ce0a4b831ce481b290c1ba7ebeb907c20
XWorm
3b1a7f4151f967d6574f3c26de9eba9745123e19b61bfb6d5494c2a777da8a21
XWorm
440c3df99e39d7adbbd231ab92b01c2e70e276703e8b5831822bba1facc7e1b9
XWorm
927dedee3e4382a8aba77ee2322bb9aead633344f8cdccec0ce4c5e19fddb5b8
XWorm
d49af631d0fd3acbdaf7cdd6e6d30ea162c4f1ead48221e86dbe0d2c1e59e11c
XWorm
ea09ce7cfee9dd88c2bd0bd54ad9144ecbcba2fbb3c7fe5189877c236467ec8e
XWorm
error
XWorm
+ 56 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/250413-wzyvts11gz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://92.255.85.2/pixel.exe
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
XWorm
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e16da9378102610d816b5e0314ab1537201ba84f24119dbc6be68e8199180d0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_Remcos_RAT
Create hunting rule
Author:daniyyell
Description:Detects Remcos RAT payloads and commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

PowerShell (PS) ps1 e16da9378102610d816b5e0314ab1537201ba84f24119dbc6be68e8199180d0d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3510642/
  
Delivery method
Distributed via web download

Comments