MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fea323323c852bd8f4d1f53f7f192f6c69e11a77907f82f63118793a550d7d69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fea323323c852bd8f4d1f53f7f192f6c69e11a77907f82f63118793a550d7d69
SHA3-384 hash: ce61a88679340552a0563783666075c6245dcdeee965e4d637ca0fab60194e6f03254c7565a50baa2ad917bcc949bbbc
SHA1 hash: 6a909c5c69356a702df4527acc96726557d9c071
MD5 hash: a367c93e2c6b9dd9d57834bf4b251feb
humanhash: apart-skylark-low-chicken
File name:file
Download: download sample
Signature XWorm
Create hunting rule
File size:1'288'400 bytes
First seen:2025-10-17 04:04:17 UTC
Last seen:2025-10-17 04:09:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2b39a59ef6bff544a0dc4af77e9defab (4 x XWorm)
ssdeep 24576:FL3AfeU159IF1mGoCy14I1/8cW5v/0wvO9:N3A9159IFQGo54KkcW58wK
TLSH T15F5590317FAB2613F1B64534433A29061E61247759B9F0DFA5CAB517BED3C2E388D20A
TrID 30.2% (.EXE) Win64 Executable (generic) (10522/11/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4504/4/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe xworm


Avatar
Bitsight
url: http://178.16.55.189/files/7207342161/TQ9NyLh.exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
145.223.69.92:7000 https://threatfox.abuse.ch/ioc/1616971/

Intelligence

File Origin
# of uploads :
4
# of downloads :
101
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Suspicious activity
Analysis date:
2025-10-17 04:07:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/53b66cb3-8187-4a80-8d09-788d35cf0873

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33147/
Detection(s):
Win.Packed.Zard-10038626-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f1c05f0cffb3244298a249
Tags:
autorun fareit
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
babar crypto evasive fareit invalid-signature packed signed unsafe visual_basic
Link:
https://www.filescan.io/uploads/68f1c0cc3fe1a004456b613f/reports/a354cf4d-179c-46dd-876e-52b27bcb62b9/overview
Verdict:
Malicious
Labled as:
Babar.Generic
Link:
https://www.hybrid-analysis.com/sample/fea323323c852bd8f4d1f53f7f192f6c69e11a77907f82f63118793a550d7d69
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-16T19:32:00Z UTC
Last seen:
2025-10-18T22:58:00Z UTC
Hits:
~100
Detections:
Backdoor.Agent.TCP.C&C Trojan-Dropper.Win32.VB Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb Trojan.MSIL.Agent.sb VHO:Trojan-Spy.Win32.Noon.gen PDM:Trojan.Win32.Generic Backdoor.Win32.Androm.vxvb Trojan-Dropper.Win32.Injector.sb Trojan.WinLNK.Agent.fb Backdoor.Win32.Androm
Link:
https://opentip.kaspersky.com/fea323323c852bd8f4d1f53f7f192f6c69e11a77907f82f63118793a550d7d69/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ca73a58-06ff-4983-a906-2e89c071ba2d
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fea323323c852bd8f4d1f53f7f192f6c69e11a77907f82f63118793a550d7d69
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Visual Basic Visual Basic 6 Win 32 Exe x86
Link:
https://app.malva.re/file/a367c93e2c6b9dd9d57834bf4b251feb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fea323323c852bd8f4d1f53f7f192f6c69e11a77907f82f63118793a550d7d69/
Verdict:
Malicious
Threat:
Family.ASYNCRAT
Link:
https://tip.neiki.dev/file/fea323323c852bd8f4d1f53f7f192f6c69e11a77907f82f63118793a550d7d69
Threat name:
Win32.Infostealer.Babar
Create hunting rule
Status:
Malicious
First seen:
2025-10-16 22:38:01 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=72rsgmr4quv5r5gr6u7x6gjpnru6cgtxsb7yf5rrdb4tuvinpvuq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/251017-epvlzsxk16/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/104ea840-eaf6-4b25-8e9b-8b83bdd70d49
Unpacked files
SH256 hash:
fea323323c852bd8f4d1f53f7f192f6c69e11a77907f82f63118793a550d7d69
MD5 hash:
a367c93e2c6b9dd9d57834bf4b251feb
SHA1 hash:
6a909c5c69356a702df4527acc96726557d9c071
Link:
https://www.unpac.me/results/ffb1ad29-d6b0-4638-8931-91bda67ee2fc/
SH256 hash:
2c940480799b0412653ec72f247137e61b58c4283e9e272620950b3d7f27008f
MD5 hash:
f423da5dd492855f49050106766b8869
SHA1 hash:
458147032bf607ca6d5540f1f42a15812d16cdab
Link:
https://www.unpac.me/results/ffb1ad29-d6b0-4638-8931-91bda67ee2fc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fea323323c85/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fea323323c852bd8f4d1f53f7f192f6c69e11a77907f82f63118793a550d7d69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Executable exe fea323323c852bd8f4d1f53f7f192f6c69e11a77907f82f63118793a550d7d69

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3679647/
Cape
Cape
https://www.capesandbox.com/analysis/33147/

Comments