MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecbdada9891b9ff975f6f17a64bb2bdb5adc64dc680d82496df2bac84ec10ae9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ecbdada9891b9ff975f6f17a64bb2bdb5adc64dc680d82496df2bac84ec10ae9
SHA3-384 hash: 270714f7eb3ecff8561f9ab6bc670ea537f5bc3e229a3db2be110e6498893c7f625bf78eaf5e6cb931a3a697f0d260bb
SHA1 hash: da9add85cf9a0febb8d7712436e38dc476f202c1
MD5 hash: 7c5dd5ccb5af538e569852b7348891b4
humanhash: october-coffee-mockingbird-maine
File name:file
Download: download sample
Signature XWorm
Create hunting rule
File size:962'048 bytes
First seen:2025-11-12 17:38:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dc7582daeca53ba9537917ac1c1a7ac6 (1 x XWorm)
ssdeep 3072:X9kpM2qu6gKDk7a+UC5pZuatdhf3rG14dLDobX:EVqu6bkZT/f0D
TLSH T17615F1F8D40752E4DA8EC0B65CB3A0398DFB39A39A720F5E583DA431DD46582BB3C951
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 xworm


Avatar
Bitsight
url: http://178.16.54.200/files/5765596543/ZF0zwq7.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ecbdada9891b9ff975f6f17a64bb2bdb5adc64dc680d82496df2bac84ec10ae9.bin.exe
Verdict:
Suspicious activity
Analysis date:
2025-11-12 17:39:31 UTC
Tags:
auto-startup
Link:
https://app.any.run/tasks/baef414d-e99b-4185-bba0-3d05c11ad772

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/37743/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6914c61160ebe843fe8d6d64
Tags:
autorun extens shell spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
DNS request
Connection attempt
Creating a window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Connection attempt to an infection source
Setting a global event handler for the keyboard
Query of malicious DNS domain
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug explorer hacktool lolbin masm packed
Link:
https://www.filescan.io/uploads/6914c60dcfdf6fd1e4d9179d/reports/4d026683-3453-4d7c-81b2-d18f9e42ec9b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ecbdada9891b9ff975f6f17a64bb2bdb5adc64dc680d82496df2bac84ec10ae9
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-12T14:51:00Z UTC
Last seen:
2025-11-14T00:52:00Z UTC
Hits:
~100
Detections:
Backdoor.XWorm.HTTP.C&C Backdoor.MSIL.XWorm.a Backdoor.Agent.TCP.C&C Trojan-PSW.Win32.Stealer.sb Trojan.Win64.Donut.sb Trojan.Win32.Shellcode.sb Backdoor.MSIL.XWorm.b Trojan.Win64.Agentb.sb Trojan.Agent.UDP.C&C PDM:Trojan.Win32.Generic Backdoor.MSIL.XWorm.fgv Trojan.Win64.DonutInjector.sb
Link:
https://opentip.kaspersky.com/ecbdada9891b9ff975f6f17a64bb2bdb5adc64dc680d82496df2bac84ec10ae9/results?tab=lookup
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aba9a376-a4de-4060-91d2-1949c07d951d
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ecbdada9891b9ff975f6f17a64bb2bdb5adc64dc680d82496df2bac84ec10ae9
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/7c5dd5ccb5af538e569852b7348891b4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ecbdada9891b9ff975f6f17a64bb2bdb5adc64dc680d82496df2bac84ec10ae9/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/ecbdada9891b9ff975f6f17a64bb2bdb5adc64dc680d82496df2bac84ec10ae9
Threat name:
Win64.Backdoor.Xworm
Create hunting rule
Status:
Suspicious
First seen:
2025-11-12 17:38:24 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5s623kmjdop7s5pw6f5gjozl3nnnyzg4nagyesln6k5mqtwbbluq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
donutloader
Create hunting rule
Similar samples:
error
XWorm
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5ee3e998-e9fb-4cb9-a375-cfe2427af565
Unpacked files
SH256 hash:
ecbdada9891b9ff975f6f17a64bb2bdb5adc64dc680d82496df2bac84ec10ae9
MD5 hash:
7c5dd5ccb5af538e569852b7348891b4
SHA1 hash:
da9add85cf9a0febb8d7712436e38dc476f202c1
Link:
https://www.unpac.me/results/7c5e5833-2f59-4ede-b075-20e98d55a38f/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ecbdada9891b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/ecbdada9891b9ff975f6f17a64bb2bdb5adc64dc680d82496df2bac84ec10ae9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe ecbdada9891b9ff975f6f17a64bb2bdb5adc64dc680d82496df2bac84ec10ae9

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3703844/
Cape
Cape
https://www.capesandbox.com/analysis/37743/

Comments