MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e88f233b6925f8bf72e0b89baaa1fc52d5c7fdc52f8018de86af8cb0e902709b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e88f233b6925f8bf72e0b89baaa1fc52d5c7fdc52f8018de86af8cb0e902709b
SHA3-384 hash: 9beacb8fa92a7b095e7384c8c92a8ef9d549b97db4e9b30729e594ada57178313a55cb5069e3308faa55e6d81b65bf36
SHA1 hash: ac9fae264147b07d6306784d6738e768e89ec389
MD5 hash: 7524d560b667b8ed62f16bc59772d81f
humanhash: lactose-berlin-fifteen-beryllium
File name:7524d560b667b8ed62f16bc59772d81f
Download: download sample
Signature XWorm
Create hunting rule
File size:7'396'090 bytes
First seen:2024-07-08 11:11:47 UTC
Last seen:2024-07-08 11:21:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a23b267d3c27d78228e9d8a9833617e0 (1 x RemcosRAT, 1 x XWorm)
ssdeep 98304:tPx1VR1MSpVQJu7ikcXqhKRgGJC1LIrip+M38GEcfNv3SsnFx3ai3i/bgkqf1nnH:dxHR1likZGgv1LH6cBSeqi3idqfVnPLD
TLSH T1CB76227667F820FDD5BA46BAD2809172FF75B50D3320517ECAA8952C2F3A96464BF300
TrID 72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
13.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.EXE) OS/2 Executable (generic) (2029/13)
2.5% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon b2e1b496a6cada72 (13 x LummaStealer, 12 x AsyncRAT, 8 x Rhadamanthys)
Reporter zbetcheckin
Tags:64 exe xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
387
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e88f233b6925f8bf72e0b89baaa1fc52d5c7fdc52f8018de86af8cb0e902709b.exe
Verdict:
Malicious activity
Analysis date:
2024-07-08 11:13:27 UTC
Tags:
remote xworm
Link:
https://app.any.run/tasks/d211a99a-631c-4901-be1c-9d23050e5064

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Program.Unwanted.5405.8558.14025.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=668bc9853bd942ce8f6df805win10vpnfull_triage
Tags:
Encryption Execution Generic Network Static Stealth Trojan Agent
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a window
Launching cmd.exe command interpreter
Connection attempt
Transferring files using the Background Intelligent Transfer Service (BITS)
Enabling the 'hidden' option for recently created files
Launching a process
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug CAB crypto expand fingerprint installer keylogger lolbin microsoft_visual_cc overlay packed packed runonce shell32
Link:
https://www.filescan.io/uploads/668bc985fa6ffdddde46eb0b/reports/88a088eb-5a55-44ff-836b-ca906e51dce8/overview
Verdict:
Malicious
Labled as:
Midie.Generic
Link:
https://www.hybrid-analysis.com/sample/e88f233b6925f8bf72e0b89baaa1fc52d5c7fdc52f8018de86af8cb0e902709b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IEInspector Software
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b83ef53a-d2d2-405a-9b52-a023d1051d57
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1469057
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1469057 Sample: kr5u9eDLvb.exe Startdate: 08/07/2024 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 11 other signatures 2->57 10 kr5u9eDLvb.exe 8 2->10         started        process3 file4 33 C:\Windows\Temp\...\kr5u9eDLvb.exe, PE32+ 10->33 dropped 13 kr5u9eDLvb.exe 23 10->13         started        process5 file6 35 C:\Windows\Temp\...\vclx120.bpl, PE32 13->35 dropped 37 C:\Windows\Temp\...\vcl120.bpl, PE32 13->37 dropped 39 C:\Windows\Temp\...\rtl120.bpl, PE32 13->39 dropped 41 8 other malicious files 13->41 dropped 16 iTopDataRecovery.exe 1 13->16         started        process7 signatures8 45 Maps a DLL or memory area into another process 16->45 47 Switches to a custom stack to bypass stack traces 16->47 49 Found direct / indirect Syscall (likely to bypass EDR) 16->49 19 cmd.exe 4 16->19         started        process9 file10 31 C:\Users\user\AppData\Local\...\umvkmafhtbglo, PE32 19->31 dropped 59 Writes to foreign memory regions 19->59 61 Found hidden mapped module (file has been removed from disk) 19->61 63 Maps a DLL or memory area into another process 19->63 65 Switches to a custom stack to bypass stack traces 19->65 23 MSBuild.exe 1 13 19->23         started        27 conhost.exe 19->27         started        signatures11 process12 dnsIp13 43 85.209.133.150, 49713, 6677 CMCSUS Germany 23->43 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->67 69 Loading BitLocker PowerShell Module 23->69 29 WmiPrvSE.exe 23->29         started        signatures14 process15
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e88f233b6925f8bf72e0b89baaa1fc52d5c7fdc52f8018de86af8cb0e902709b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e88f233b6925f8bf72e0b89baaa1fc52d5c7fdc52f8018de86af8cb0e902709b/
Threat name:
Win64.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-07-08 11:12:07 UTC
File Type:
PE+ (Exe)
Extracted files:
251
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5chsgo3jex4l64xaxcn2vip4klk4p7off6abrxugv6glb2icocnq._file
Verdict:
malicious
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm rat trojan
Link:
https://tria.ge/reports/240708-nat7caycme/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Contains code to disable Windows Defender
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
85.209.133.150:6677
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8a07cd92-eaa6-4b51-a5b4-252f2612080e
Unpacked files
SH256 hash:
eb48e0e36be7b0a89a0b8cc129a3b004a8525e5f60445e5ca48a7810d9d93725
MD5 hash:
f65c3b116281fd23e5748ad73e9501cf
SHA1 hash:
ebda8a741833c4fcbfcb72591a7c173d69a01ebd
Link:
https://www.unpac.me/results/363ce252-ff37-41c0-a1ab-83de9b7928a6/
SH256 hash:
b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628
MD5 hash:
849070ebd34cbaedc525599d6c3f8914
SHA1 hash:
b0543d13f4d0cb787abdaaf1d3c9a5af17c87afa
Link:
https://www.unpac.me/results/363ce252-ff37-41c0-a1ab-83de9b7928a6/
SH256 hash:
b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3
MD5 hash:
630991830afe0b969bd0995e697ab16e
SHA1 hash:
feda243d83fba15b23d654513dc1f0d70787ba18
Link:
https://www.unpac.me/results/363ce252-ff37-41c0-a1ab-83de9b7928a6/
SH256 hash:
9760afe7f7ec9c9a6d885a944cbafec52091a4fadd893ebb0a003f696cab747f
MD5 hash:
88659c389547bdc3515c446cc6670208
SHA1 hash:
2800f0a84d8e4194e778b1a7ce829b35568160e1
Link:
https://www.unpac.me/results/363ce252-ff37-41c0-a1ab-83de9b7928a6/
SH256 hash:
6010e2147a0f51a7bfa2f942a5a9eaad9a294f463f717963b486ed3f53d305c2
MD5 hash:
28f0ccf746f952f94ff434ca989b7814
SHA1 hash:
506e85d2de6377492d90b98aa20663b0ff3ce32a
Link:
https://www.unpac.me/results/363ce252-ff37-41c0-a1ab-83de9b7928a6/
SH256 hash:
52019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006
MD5 hash:
84bc072f8ea30746f0982afbda3c638f
SHA1 hash:
f39343933ff3fc7934814d6d3b7b098bc92540a0
Link:
https://www.unpac.me/results/363ce252-ff37-41c0-a1ab-83de9b7928a6/
SH256 hash:
3c317dbab70d3ab4fce944c92532d111f69fd71dca5c7f7c7b8d57e657f26a1a
MD5 hash:
95387cc85dacad60b3e10665b43602e6
SHA1 hash:
d9aafd45fe3ad10d28716d6289fe76b4fdce1869
Link:
https://www.unpac.me/results/363ce252-ff37-41c0-a1ab-83de9b7928a6/
SH256 hash:
2bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed
MD5 hash:
7daa2b7fe529b45101a399b5ebf0a416
SHA1 hash:
fd73f3561d0cebe341a6c380681fb08841fa5ce6
Link:
https://www.unpac.me/results/363ce252-ff37-41c0-a1ab-83de9b7928a6/
SH256 hash:
16126ff5daa3787a159cf4a39aa040b8050ebb66ab90dbb97c503110ef72824a
MD5 hash:
dc6655a38ffdc3c349f13828fc8ec36e
SHA1 hash:
95db71ef7bff8c16ce955c760292bad9f09bb06d
Link:
https://www.unpac.me/results/363ce252-ff37-41c0-a1ab-83de9b7928a6/
SH256 hash:
e88f233b6925f8bf72e0b89baaa1fc52d5c7fdc52f8018de86af8cb0e902709b
MD5 hash:
7524d560b667b8ed62f16bc59772d81f
SHA1 hash:
ac9fae264147b07d6306784d6738e768e89ec389
Link:
https://www.unpac.me/results/363ce252-ff37-41c0-a1ab-83de9b7928a6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e88f233b6925f8bf72e0b89baaa1fc52d5c7fdc52f8018de86af8cb0e902709b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe e88f233b6925f8bf72e0b89baaa1fc52d5c7fdc52f8018de86af8cb0e902709b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2944288/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
ADVAPI32.dll::CreateWellKnownSid
ADVAPI32.dll::SetEntriesInAclW
ADVAPI32.dll::SetEntriesInAclA
ADVAPI32.dll::SetNamedSecurityInfoW
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::IsWellKnownSid
ADVAPI32.dll::SetSecurityDescriptorDacl
ADVAPI32.dll::SetSecurityDescriptorGroup
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::SetProcessShutdownParameters
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt FilesADVAPI32.dll::DecryptFileW
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextW
ADVAPI32.dll::CryptCreateHash
ADVAPI32.dll::CryptGetHashParam
ADVAPI32.dll::CryptHashData
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ChangeServiceConfigW
ADVAPI32.dll::ControlService
ADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::OpenServiceW
ADVAPI32.dll::QueryServiceConfigW
ADVAPI32.dll::QueryServiceStatus
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments


Avatar
zbet commented on 2024-07-08 11:11:48 UTC

url : hxxp://85.209.133.132/file/install.exe