MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1aeda735fa70ed48bd023422665bb1f77b7b0127fae9dfa882396d7fe0e24fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


UmbralStealer


Vendor detections: 19


Intelligence 19 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1aeda735fa70ed48bd023422665bb1f77b7b0127fae9dfa882396d7fe0e24fd
SHA3-384 hash: c1f90b2adf5a5fed3c08c374d8389c4437b5ef58fdc132f2b72b7828e3f67eee71abe828c1d18e638af350c34df6991f
SHA1 hash: f091e7531fa3118b47e0d781bd566ea9265f5fd4
MD5 hash: 3ecea4cff17eed6e1ff4bca02a50ccae
humanhash: shade-texas-steak-seventeen
File name:XwormV5.6.exe
Download: download sample
Signature UmbralStealer
Create hunting rule
File size:13'631'488 bytes
First seen:2026-03-26 22:24:18 UTC
Last seen:2026-03-26 23:25:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'857 x AgentTesla, 19'783 x Formbook, 12'304 x SnakeKeylogger)
ssdeep 196608:Zf88qMH2HKt3eG1VqYLAphYrBjeNhmfN:68qMWqVejlpWrBjP
Threatray 26 similar samples on MalwareBazaar
TLSH T15BD633B5A1840534D5DA40FB79ED82788973C957B802F941CDE2A8D436FFF293AB8C19
TrID 34.1% (.EXE) Win64 Executable (generic) (6522/11/2)
23.5% (.EXE) Win32 Executable (generic) (4504/4/1)
10.7% (.ICL) Windows Icons Library (generic) (2059/9)
10.6% (.EXE) OS/2 Executable (generic) (2029/13)
10.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter BastianHein
Tags:exe UmbralStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
152
Origin country :
CL CL
Vendor Threat Intelligence
Malware configuration found for:
EvilCoder Umbral XWorm
Details
EvilCoder
extracted components, their filepaths, and possibly registry installation
Umbral
a Discord webhook, a version, a mutex, and varying boolean fields
XWorm
a version, c2 socket address, filepath, and mutex
Link:
https://research.acce.ciphertechsolutions.com/results/f87a392f-4b13-4058-814a-bfc35e38d9ac/
Malware family:
n/a
ID:
1
File name:
XwormV5.6.exe
Verdict:
Malicious activity
Analysis date:
2026-03-25 11:55:59 UTC
Tags:
anti-evasion evasion stealer umbralstealer discord exfiltration arch-doc umbral generic divulgestealer
Link:
https://app.any.run/tasks/3799f560-9d0e-4fc3-8f56-a59a3ed6134e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/59441/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop21.55508.8826.29801.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69c3cd46aacb4c376b13df8b
Tags:
vmdetect asyncrat
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Sending an HTTP GET request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed vbnet
Link:
https://www.filescan.io/uploads/69c5b2472346b9da57a9a2f3/reports/6d5f64cc-d9cb-4c6b-87d8-c06f7c7af94e/overview
Verdict:
Malicious
Labled as:
MSIL.Packy.Generic
Link:
https://www.hybrid-analysis.com/sample/e1aeda735fa70ed48bd023422665bb1f77b7b0127fae9dfa882396d7fe0e24fd
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-03-25T06:06:00Z UTC
Last seen:
2026-03-28T05:25:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-PSW.MSIL.Umbral.gen Backdoor.MSIL.XWorm.b Trojan.MSIL.Agent.sba Trojan.MSIL.Agent.sb HEUR:Trojan-Dropper.MSIL.Agent.gen HEUR:Trojan.MSIL.Exnet.gen HEUR:Backdoor.MSIL.XWorm.gen Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Umbral.ii Trojan-PSW.MSIL.Stealer.sb Trojan-Downloader.Win32.Bitser.sb Trojan.Win32.Agent.sb Trojan-PSW.MSIL.Umbral.sb HEUR:Trojan-Spy.MSIL.Stealer.gen HackTool.MSIL.Agent.sb
Link:
https://opentip.kaspersky.com/e1aeda735fa70ed48bd023422665bb1f77b7b0127fae9dfa882396d7fe0e24fd/results?tab=lookup
Malware family:
Sharp Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a8098224-0abc-4501-959e-0eece5fecc1e
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e1aeda735fa70ed48bd023422665bb1f77b7b0127fae9dfa882396d7fe0e24fd
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.21 Win 32 Exe x86
Link:
https://app.malva.re/file/3ecea4cff17eed6e1ff4bca02a50ccae
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1aeda735fa70ed48bd023422665bb1f77b7b0127fae9dfa882396d7fe0e24fd/
Verdict:
Malicious
Threat:
Family.XBINDER
Link:
https://tip.neiki.dev/file/e1aeda735fa70ed48bd023422665bb1f77b7b0127fae9dfa882396d7fe0e24fd
Threat name:
ByteCode-MSIL.Trojan.XWormRAT
Create hunting rule
Status:
Malicious
First seen:
2026-03-25 11:27:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4gxnu427u4hnjc6qenbcmzn3d533pmasp6xj36uieolnp7qoet6q._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
unc_loader_063
Create hunting rule
umbralstealer
Create hunting rule
Similar samples:
2046038ba47b17734e87a5d63bc9a0637bbb3abe6974f839c0d43afe2761d7b5
UmbralStealer
bfbba360c8bf4ce938b03724c44f8769c5d490dac37e835208c49e4244e6059b
UmbralStealer
c3c6d87360470a933aea84a664e6c65a1d0b626c7acd54541ea4ddcee159a39c
UmbralStealer
c3eb6fdc183061734d56720392950b5e281dbbe70a5613747bcaae356dcbc8a9
UmbralStealer
e1aeda735fa70ed48bd023422665bb1f77b7b0127fae9dfa882396d7fe0e24fd
UmbralStealer
error
UmbralStealer
fa91e6e3eba2e4deb6ff092b9bf94944ce12b9346d5db218497602d08098094a
UmbralStealer
+ 16 additional samples on MalwareBazaar
Result
Malware family:
xbinder
Create hunting rule
Score:
  10/10
Tags:
family:umbral family:xbinder defense_evasion execution loader spyware stealer
Link:
https://tria.ge/reports/260326-2b258sft2j/
Behaviour
Detects videocard installed
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Contacts third-party web service commonly abused for C2
Looks up external IP address via web service
Checks computer location settings
Disables automatic submission of suspicious files to Microsoft by Windows Defender
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Disables one or more Microsoft Defender components
Detects Umbral payload
Umbral
Umbral family
XBinder
Xbinder family
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1486034224719990898/cdIsqZlxD5Dax8_ev5spNqv6MklKOUY01nv4-tDjdpvImzxZFZs3M0RMJn-xD9C5qA3X
Unpacked files
SH256 hash:
e1aeda735fa70ed48bd023422665bb1f77b7b0127fae9dfa882396d7fe0e24fd
MD5 hash:
3ecea4cff17eed6e1ff4bca02a50ccae
SHA1 hash:
f091e7531fa3118b47e0d781bd566ea9265f5fd4
Link:
https://www.unpac.me/results/5a27619e-d21d-4842-a031-890ccaa46afc/
SH256 hash:
5dfab5f363e636652c369c11bcb342e7ac754b7032f9dafd1529627be784b355
MD5 hash:
aa27a0b112f22d1dafc1015296b7edd8
SHA1 hash:
8d5d5f4e216d9eae6c9e19ee88d39216e73dfae2
Detections:
win_xworm_a0
Create hunting rule
win_xworm_w0
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/5a27619e-d21d-4842-a031-890ccaa46afc/
Parent samples :
c3c6d87360470a933aea84a664e6c65a1d0b626c7acd54541ea4ddcee159a39c
e1aeda735fa70ed48bd023422665bb1f77b7b0127fae9dfa882396d7fe0e24fd
c3eb6fdc183061734d56720392950b5e281dbbe70a5613747bcaae356dcbc8a9
SH256 hash:
0596e7d8d098455f5ee6afed73ef1c3c49c205798e4aad749116ca95113b160b
MD5 hash:
a3d2643024b1ca704328571ab8a72505
SHA1 hash:
f5723f7bac396aad64c30c75b1fdaf3d137186a7
Detections:
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxComputerNames
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs
Create hunting rule
MALWARE_Win_UmbralStealer
Create hunting rule
Link:
https://www.unpac.me/results/5a27619e-d21d-4842-a031-890ccaa46afc/
Parent samples :
c3c6d87360470a933aea84a664e6c65a1d0b626c7acd54541ea4ddcee159a39c
e1aeda735fa70ed48bd023422665bb1f77b7b0127fae9dfa882396d7fe0e24fd
c3eb6fdc183061734d56720392950b5e281dbbe70a5613747bcaae356dcbc8a9
SH256 hash:
64a0a588bfb057c877f42773976fd6952be90eafd373b3d0595fe20a8faccd74
MD5 hash:
1c3b5af02f308c2d61314fe6344a7434
SHA1 hash:
5a0278ad2d2cd2437044e4d8b5e998533982293b
Link:
https://www.unpac.me/results/5a27619e-d21d-4842-a031-890ccaa46afc/
SH256 hash:
60b19320a6fb573c6bc5fe32b0f9d5f9874876a680dfcad05271edb17389d48f
MD5 hash:
e0713e49460cf9570c1b4873d98e0d5b
SHA1 hash:
d29011604ffbf75d945e745891ae0ff7255ca56a
Link:
https://www.unpac.me/results/5a27619e-d21d-4842-a031-890ccaa46afc/
Malware family:
UmbralStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e1aeda735fa7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e1aeda735fa70ed48bd023422665bb1f77b7b0127fae9dfa882396d7fe0e24fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/59441/

Comments