MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef106973aa35c6a1e39e05c6dde63e421794faba9109a2a9cb2f9cebd363e053. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef106973aa35c6a1e39e05c6dde63e421794faba9109a2a9cb2f9cebd363e053
SHA3-384 hash: bf49e2a6100a98f7d9acac6a9b57710616a85ae0c0ae312c95d64961262ffeb71b2615ee6b132eee6be245fd6535899d
SHA1 hash: 408e1ffe7504822ce432cd92624201334adb96f8
MD5 hash: 03279de260dd60989991a7d64d8559d1
humanhash: butter-wolfram-friend-mockingbird
File name:SecuriteInfo.com.Win32.RATX-gen.24922.1280
Download: download sample
Signature XWorm
Create hunting rule
File size:694'784 bytes
First seen:2023-01-17 16:35:20 UTC
Last seen:2023-01-20 09:48:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:KHnu0b+NoexY/dMmTvoQ04KHmdj4LXZ2YxHugCUTl0:KH3+NNx8BAQXldXYxHrDTl0
Threatray 8'162 similar samples on MalwareBazaar
TLSH T1BCE4F66151B64BD5D8B58EB15D38A508BFE20C818A58A22EEC523CFA4CF774EC0457FB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 10808a8c8c8a8010 (77 x Formbook, 51 x AgentTesla, 44 x RemcosRAT)
Reporter SecuriteInfoCom
Tags:exe xworm

Intelligence

File Origin
# of uploads :
3
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.RATX-gen.24922.1280
Verdict:
Malicious activity
Analysis date:
2023-01-17 16:36:38 UTC
Tags:
xworm
Link:
https://app.any.run/tasks/07d20deb-8dba-4d54-beb5-88a2d86deea2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/353893/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.24922.1280.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c6ce77bda854045c18f6ee/reports/d5c377ea-fa85-45dd-8ce8-c2f1b57ceb0f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f8884df7-89f7-460c-ae2b-0f610b142770
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1153277
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 786007 Sample: SecuriteInfo.com.Win32.RATX... Startdate: 17/01/2023 Architecture: WINDOWS Score: 100 70 Snort IDS alert for network traffic 2->70 72 Antivirus detection for URL or domain 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 9 other signatures 2->76 7 SecuriteInfo.com.Win32.RATX-gen.24922.1280.exe 7 2->7         started        11 WIKUnbPdnsP.exe 5 2->11         started        13 SecuriteInfo.com.Win32.RATX-gen.24922.1280.exe 2->13         started        15 2 other processes 2->15 process3 file4 60 C:\Users\user\AppData\...\WIKUnbPdnsP.exe, PE32 7->60 dropped 62 C:\Users\...\WIKUnbPdnsP.exe:Zone.Identifier, ASCII 7->62 dropped 64 C:\Users\user\AppData\Local\...\tmp631C.tmp, XML 7->64 dropped 66 SecuriteInfo.com.W....24922.1280.exe.log, ASCII 7->66 dropped 80 Drops PE files to the startup folder 7->80 82 Uses schtasks.exe or at.exe to add and modify task schedules 7->82 84 Adds a directory exclusion to Windows Defender 7->84 17 SecuriteInfo.com.Win32.RATX-gen.24922.1280.exe 1 6 7->17         started        22 powershell.exe 21 7->22         started        24 powershell.exe 21 7->24         started        26 schtasks.exe 1 7->26         started        86 Multi AV Scanner detection for dropped file 11->86 88 Machine Learning detection for dropped file 11->88 90 Injects a PE file into a foreign processes 11->90 34 2 other processes 11->34 28 schtasks.exe 13->28         started        30 SecuriteInfo.com.Win32.RATX-gen.24922.1280.exe 13->30         started        32 schtasks.exe 15->32         started        36 3 other processes 15->36 signatures5 process6 dnsIp7 68 154.127.53.162, 49699, 7007 COGECO-PEER1CA South Africa 17->68 52 SecuriteInfo.com.W...-gen.24922.1280.exe, PE32 17->52 dropped 54 SecuriteInfo.com.W...-gen.24922.1280.exe, PE32 17->54 dropped 56 SecuriteInfo.com.W...exe:Zone.Identifier, ASCII 17->56 dropped 58 SecuriteInfo.com.W...exe:Zone.Identifier, ASCII 17->58 dropped 78 Creates autostart registry keys with suspicious names 17->78 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        46 conhost.exe 32->46         started        48 conhost.exe 34->48         started        50 conhost.exe 36->50         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef106973aa35c6a1e39e05c6dde63e421794faba9109a2a9cb2f9cebd363e053/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-17 11:41:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
32
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=54igs45kgxdkdy46axdn3zr6iilzj6v2see2fkolf6ooxu3d4bjq._file
Verdict:
malicious
Similar samples:
26fd5960f4df473e74ae181061882322a19eab1b37f4ebc846d8634f538d43e9
XWorm
2b924314517e86bfece5ecc1e2a6386ac415c9db078a48e7e974a08a8c6255ed
XWorm
2e45a9113007ef46e148979f14d5723b5af959b54503dd26c09895320d990eeb
XWorm
37b0b6c8e886ba54facc53bea8f5d11ea52bb2ad186ef496bac773ba989b9e89
XWorm
3ac0ff1d6a7bcbcd3feb5fd5f978b98845ac587b4b7e7be2233849295491e777
XWorm
72583f44847a7163594df6713b246140478f41f50448f9d8585ebfde2d4b3ca0
XWorm
cb7ffda616dbfb59cec05339b9bee2e7ecae48595545ee4e63d93e9751feb594
XWorm
d60b0841441e30f8c621ae74d82caed84a72125a8fef8669071c54617f4ce0f1
XWorm
e611419a4b0f0fb37a0c6ec8e6bd88c5314eb889f525ecf875eea8b6338a8f2c
XWorm
+ 8'152 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm persistence rat trojan
Link:
https://tria.ge/reports/230117-t38s4aba63/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Xworm
Malware Config
C2 Extraction:
154.127.53.162:7007
Unpacked files
SH256 hash:
cf2ee8a65730359cbdfad4c5776e648ac2852a28bbc0fd9c967197a3b61bca0a
MD5 hash:
11d78e9c5f3fb8b6dc44c5d8e45a54d0
SHA1 hash:
f431bc5bae01d50a303eae181b720dfc70f72e22
Link:
https://www.unpac.me/results/4d115326-5800-46e6-8fe2-f8c0721d967c/
SH256 hash:
873e07ed33c50255e08838f42114cfbf6661c5f6d0591181ce72aae9fd19bf4e
MD5 hash:
3f40de8063a2b115089407fc6adddfc7
SHA1 hash:
f1ad0b0b7d12bf85642d210903c63cfa04d0f6b1
Link:
https://www.unpac.me/results/4d115326-5800-46e6-8fe2-f8c0721d967c/
SH256 hash:
3318a5fa94dd519cf18c2267cd2632a577dcc08def0044305107e6c8add3a4a5
MD5 hash:
7536156ebf4b9896f894e1f94eabc837
SHA1 hash:
edcdf3bcf97ae857c6336292ee8d1d4519254bd1
Link:
https://www.unpac.me/results/4d115326-5800-46e6-8fe2-f8c0721d967c/
SH256 hash:
54d781f0dee6692c47390edf1ada295fb17a7e80ed5ccd58ab14c6ddf80a0ad8
MD5 hash:
4f6caebd865502f7c8046fbae3284c61
SHA1 hash:
be357e832bf6f61454875b37a1759cf1c5fa5ca4
Link:
https://www.unpac.me/results/4d115326-5800-46e6-8fe2-f8c0721d967c/
SH256 hash:
285786002b678c0b22c412d886b804dbc73f91f1146a44cef0c39bb5ab4797f6
MD5 hash:
4ba8124adfdead5427531f378f673c46
SHA1 hash:
83e8af8724ac95801a1d6d429894a20e401586eb
Link:
https://www.unpac.me/results/4d115326-5800-46e6-8fe2-f8c0721d967c/
SH256 hash:
ef106973aa35c6a1e39e05c6dde63e421794faba9109a2a9cb2f9cebd363e053
MD5 hash:
03279de260dd60989991a7d64d8559d1
SHA1 hash:
408e1ffe7504822ce432cd92624201334adb96f8
Link:
https://www.unpac.me/results/4d115326-5800-46e6-8fe2-f8c0721d967c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef106973aa35c6a1e39e05c6dde63e421794faba9109a2a9cb2f9cebd363e053

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/353893/

Comments