MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f254174cd03da1a24f879e5d6f669e6b0109449e705f25b6d54611fbc249de84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f254174cd03da1a24f879e5d6f669e6b0109449e705f25b6d54611fbc249de84
SHA3-384 hash: 2cd516e7201c0143751bf41303624b7282d6e8b8d523afe2614debd99a049e5bc406447da0bdcf2c28d50052fa1066e3
SHA1 hash: db40fd712c9c18a309f6931320cecfc07816bca6
MD5 hash: cf3319af97a91cc86fbae255c78eb25f
humanhash: beer-winter-jupiter-oscar
File name:SecuriteInfo.com.Trojan.DownLoader49.29739.30814.20572
Download: download sample
Signature XWorm
Create hunting rule
File size:502'376 bytes
First seen:2026-01-22 01:20:37 UTC
Last seen:2026-01-22 02:20:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4c785070d31918effde68a86f76fb27b (1 x DonutLoader, 1 x XWorm)
ssdeep 6144:wBSbnvsgOFgHit/EyU0cK66x0d07dR8dIe2C6SdBHUWq+9yN86IpKIGl9AvXZq2K:wBSIeit/EzKTbHoSjafJkJ++DnrQBg
Threatray 766 similar samples on MalwareBazaar
TLSH T1B4B4C58336DB0CEAEE932B3C51D76336AB36FE608B3A4B6B5114C2311C135D16E6A754
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
FR FR
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.DownLoader49.29739.30814.20572.exe
Verdict:
No threats detected
Analysis date:
2026-01-22 01:24:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1dce012b-19c2-46d4-90cb-92b0eab7d669

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49689/
Verdict:
Clean
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69717b77bcad3327ec0771cf
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug crypto explorer hacktool lolbin overlay packed unsafe xworm
Link:
https://www.filescan.io/uploads/69717b6cf3c1b7b1fbd9a590/reports/c9a3514d-34b3-4660-a9f0-b232b207c19d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f254174cd03da1a24f879e5d6f669e6b0109449e705f25b6d54611fbc249de84
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-21T16:32:00Z UTC
Last seen:
2026-01-21T18:43:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/f254174cd03da1a24f879e5d6f669e6b0109449e705f25b6d54611fbc249de84/results?tab=lookup
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0e165d23-f1f0-4b89-b00c-f2d76f56ec86
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f254174cd03da1a24f879e5d6f669e6b0109449e705f25b6d54611fbc249de84
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/cf3319af97a91cc86fbae255c78eb25f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f254174cd03da1a24f879e5d6f669e6b0109449e705f25b6d54611fbc249de84/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/f254174cd03da1a24f879e5d6f669e6b0109449e705f25b6d54611fbc249de84
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6jkbotgqhwq2et4htzow6zu6nmaqsre6obpslnwviyi7xqsj32ca._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
donutloader
Create hunting rule
Similar samples:
265c206b96681a366798236f5982aaaf4d21ac39ca86db21847ca2a8f4432dd6
XWorm
3a444e7690f35fee4be070d0656bc7f0adab9bdcec798d5af27fc3c93e08f611
XWorm
4e378740e132d999256cd8c9c23e3b7fbd970d43fe940ef290bc139a6405f620
XWorm
8174c657b304d3e67522a5b1995486245deeff57b36643b3ac2ab1f956c11755
XWorm
9c9cf095c3ff1c23a4938f8f815055521383bc6ec5e27d4647f0f6037f500402
XWorm
9f64cb8fde71c95ef227494e8e57ca897fcda3453156ba054689cfbe135fb208
XWorm
ad925bc485fb6fa119d5479f42e54555e84c20ab77a6b7641cda4532047c2789
XWorm
error
XWorm
f254174cd03da1a24f879e5d6f669e6b0109449e705f25b6d54611fbc249de84
XWorm
+ 756 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:xworm collection discovery loader pyinstaller ransomware rat trojan
Link:
https://tria.ge/reports/260122-bqh3ssas7f/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
outlook_office_path
outlook_win_path
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detect Xworm Payload
Detects DonutLoader
DonutLoader
Donutloader family
Xworm
Xworm family
Malware Config
C2 Extraction:
151.241.154.73:6000
Unpacked files
SH256 hash:
f254174cd03da1a24f879e5d6f669e6b0109449e705f25b6d54611fbc249de84
MD5 hash:
cf3319af97a91cc86fbae255c78eb25f
SHA1 hash:
db40fd712c9c18a309f6931320cecfc07816bca6
Link:
https://www.unpac.me/results/2e6e6685-c2d7-4ed2-af1e-cbddc5767421/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f254174cd03d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f254174cd03da1a24f879e5d6f669e6b0109449e705f25b6d54611fbc249de84

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe f254174cd03da1a24f879e5d6f669e6b0109449e705f25b6d54611fbc249de84

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/49689/
  
URLhaus
https://urlhaus.abuse.ch/url/3761541/
  
Delivery method
Distributed via web download

Comments