MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3ca848b708d70699ccf0802a0a9885fa8b4e183e6234e6f572bf0e46cc79495. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 19

Intelligence 19 IOCs YARA 4 File information Comments

SHA256 hash:	f3ca848b708d70699ccf0802a0a9885fa8b4e183e6234e6f572bf0e46cc79495
SHA3-384 hash:	6565fefc80e20f843f8a54344bd3611918ce1ef34457cdce0265229d4e4635c741e02d9eefc2078c3bfc5d02b6a0553a
SHA1 hash:	bf4d890e707fb0166a70df5b8c6830aafecbf57c
MD5 hash:	d9a392caafa8e72245bd325b826e5a97
humanhash:	spring-may-nevada-seven
File name:	Shipping Order - S509242880 - ISF Details - TPE59242880.XLSX.scr
Download:	download sample
Signature	XWorm Create hunting rule
File size:	536'576 bytes
First seen:	2025-10-22 03:13:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:KedYAhukUcV50hCBeMMU+8sEZbFosjGZ0E7avQObsfv9x:KedYAVUcjC/U+s+sX
Threatray	2'112 similar samples on MalwareBazaar
TLSH	T104B4CF9C3215F99FC883C5719A54DE74A6206DAA9307C11389E71CEFB90CE97EF180E2
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	threatcat_ch
Tags:	exe xworm

Intelligence

File Origin

# of uploads :

# of downloads :

169

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Shipping Order - S509242880 - ISF Details - TPE59242880.XLSX.scr

Verdict:

Malicious activity

Analysis date:

2025-10-22 03:15:08 UTC

Tags:

auto-startup remote xworm

Link:

https://app.any.run/tasks/4c8a2cc4-b419-4e0a-b02f-e7412bf00a91

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/33677/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68f84be93edd081eba40996d

Tags:

autorun keylog micro sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Creating a file in the %AppData% directory

Using the Windows Management Instrumentation requests

Setting a global event handler for the keyboard

Connection attempt to an infection source

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 bitmap formbook krypt lolbin masquerade msbuild obfuscated obfuscated packed packed reconnaissance regsvcs rezer0 roboski schtasks stego unsafe vbc vbnet xworm

Link:

https://www.filescan.io/uploads/68f84be3c85c5c5697319f98/reports/715f7e46-d09c-4c92-9ed5-3d3592415fc8/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/f3ca848b708d70699ccf0802a0a9885fa8b4e183e6234e6f572bf0e46cc79495

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-22T00:07:00Z UTC

Last seen:

2025-10-23T11:16:00Z UTC

Hits:

~1000

Detections:

Backdoor.MSIL.XWorm.c Backdoor.MSIL.XWorm.b HEUR:Trojan-PSW.MSIL.Agensla.gen Trojan.MSIL.Taskun.sb Trojan.MSIL.Crypt.sb Backdoor.MSIL.XWorm.a PDM:Trojan.Win32.Generic Trojan-Downloader.MSIL.Starpast.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Agent.sb

Link:

https://opentip.kaspersky.com/f3ca848b708d70699ccf0802a0a9885fa8b4e183e6234e6f572bf0e46cc79495/results?tab=lookup

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8a0e3589-1585-452e-b38d-7392b0ce776c

Result

Threat name:

XWorm

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1799537

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM3

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f3ca848b708d70699ccf0802a0a9885fa8b4e183e6234e6f572bf0e46cc79495

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f3ca848b708d70699ccf0802a0a9885fa8b4e183e6234e6f572bf0e46cc79495/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/f3ca848b708d70699ccf0802a0a9885fa8b4e183e6234e6f572bf0e46cc79495

Threat name:

Win32.Backdoor.FormBook

Status:

Malicious

First seen:

2025-10-22 02:58:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 38 (65.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6pfijc3qrvygthgpbabkbkmil6uljymd4yru432xfpyoi3ghsskq._file

Verdict:

malicious

Label(s):

unc_loader_037

xworm

XWorm

2cd68c73f407a88d29c7599a427f747f4f686dd12c33be96589d49f2f879d080

XWorm

6685b94cd75854876b6d65f83c1b2c886292d9f9eb62dd595ddce7c4ea0dfd8b

XWorm

870e13f74435cfa499c3a6db21f49d2217f0b654f937f28e7cb461eba698d1b8

XWorm

e64ad2ba0b6bc73561dfa9bf388160eb50e98463f9a4984d5e315bb3c0b0f4ad

XWorm

error

XWorm

f0a54d67d5073a53fbef42ce7bb9c3422cd4d02236c677a58a7b74d7d2bec5c3

XWorm

f3ca848b708d70699ccf0802a0a9885fa8b4e183e6234e6f572bf0e46cc79495

XWorm

+ 2'102 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm discovery rat trojan

Link:

https://tria.ge/reports/251022-dq3hjshn5w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Drops startup file

Detect Xworm Payload

Xworm

Xworm family

Malware Config

C2 Extraction:

104.250.180.178:7061

Unpacked files

SH256 hash:

f3ca848b708d70699ccf0802a0a9885fa8b4e183e6234e6f572bf0e46cc79495

MD5 hash:

d9a392caafa8e72245bd325b826e5a97

SHA1 hash:

bf4d890e707fb0166a70df5b8c6830aafecbf57c

Link:

https://www.unpac.me/results/b70df4e6-d51f-4f16-b929-562cb610778a/

SH256 hash:

f6a4ff97d92cb44032061e68551d57841878725e093f46d15cbe8e1e756d41b5

MD5 hash:

af33d3ecbf199ccabd9ac6786db02c3e

SHA1 hash:

29f6fa5c276c1f077ed3cf591705d7ffd361dacc

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/b70df4e6-d51f-4f16-b929-562cb610778a/

SH256 hash:

b75c0b441c294e78ed00afecc3a6a61d5bca7b8c3315dffd62760d3352f6a6ba

MD5 hash:

20c1b580014f31baa3a4c87fe8c5d090

SHA1 hash:

31728a784ec7c8cb8d66d41ce3ec0e5cf53acd92

Detections:

win_xworm_a0

win_xworm_w0

XWorm

win_xworm_bytestring

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/b70df4e6-d51f-4f16-b929-562cb610778a/

Parent samples :

e64ad2ba0b6bc73561dfa9bf388160eb50e98463f9a4984d5e315bb3c0b0f4ad
2cd68c73f407a88d29c7599a427f747f4f686dd12c33be96589d49f2f879d080
f3ca848b708d70699ccf0802a0a9885fa8b4e183e6234e6f572bf0e46cc79495
b8c503270d33ed23ceeaa85d67c5621b050053199d6d12b1c27b339083bf14f0
50bc637d09d5520923e70f25d7325483f81a00061f883278bd68b94d93917d9c
4e12323d957c2b29d873e8ac7acd749b18c2f862fdeb28503041ccb1cbac9f22

SH256 hash:

9f2bdadb8926bf6157c7487e994ec28657f9415fd2fdf97a5ba82ba12e24046a

MD5 hash:

0e1119a6df48b550ad1353d136297ef3

SHA1 hash:

3f89b2297c1e0a29932eb25741a51538e005d565

Link:

https://www.unpac.me/results/b70df4e6-d51f-4f16-b929-562cb610778a/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f3ca848b708d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f3ca848b708d70699ccf0802a0a9885fa8b4e183e6234e6f572bf0e46cc79495

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

exe f3ca848b708d70699ccf0802a0a9885fa8b4e183e6234e6f572bf0e46cc79495

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/33677/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample