{ "type": "MD5", "indicator": "c45c7bb5fa83ca3e7ae7eac326e8ec00", "general": { "sections": [ "general", "analysis" ], "type": "md5", "type_title": "FileHash-MD5", "indicator": "c45c7bb5fa83ca3e7ae7eac326e8ec00", "validation": [], "base_indicator": { "id": 4138110303, "indicator": "b1beef46b5cea7add4a62b0c70495a960de8612ad0ab136285c62645d8dca261", "type": "FileHash-SHA256", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "691796bf3f54aad6397c9382", "name": "ACTIVIDAD MALICIOSA | Relacionada con XWorm 14-11-2025", "description": "XWorm es un troyano de administraci\u00f3n/acceso remoto (RAT) altamente sofisticado y peligroso. Se vende a trav\u00e9s de canales oscuros por $400 y est\u00e1 dise\u00f1ado para otorgar a los ciberdelincuentes acceso y control no autorizados sobre el sistema de la v\u00edctima. Este malware puede robar informaci\u00f3n del sistema, ejecutar archivos, acceder a la c\u00e1mara web y al micr\u00f3fono, abrir URL, ejecutar comandos de shell, y gestionar archivos. Adem\u00e1s, tiene la capacidad de activar y desactivar varias funciones del sistema, como el Control de cuentas de usuario, el Editor del registro, el Administrador de tareas, el Firewall, y puede invocar la Pantalla azul de la muerte (BSOD).", "modified": "2025-11-14T20:53:19.882000", "created": "2025-11-14T20:53:19.882000", "tags": [ "tcticas ta0001", "initial access", "ta0005 defense", "evasion https", "access https", "ta0011 command", "control https", "tcnicas t1566", "phishing https", "t1059 command" ], "references": [ "https://www.virustotal.com/graph/embed/g9aab5840367048deb82c06be580ba0d5144b8f935bbf48d497df2fcd21e286c3?theme=light", "https://darfe.es/ciberwiki/index.php?title=XWorm" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 96, "FileHash-SHA1": 96, "FileHash-SHA256": 326 }, "indicator_count": 518, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "197 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "68e68ec23d0bf10992a991fa", "name": "ACTIVIDAD MALICIOSA | Relacionada con XWorm 08-10-2025", "description": "XWorm es un troyano de administraci\u00f3n/acceso remoto (RAT) altamente sofisticado y peligroso. Se vende a trav\u00e9s de canales oscuros por $400 y est\u00e1 dise\u00f1ado para otorgar a los ciberdelincuentes acceso y control no autorizados sobre el sistema de la v\u00edctima. Este malware puede robar informaci\u00f3n del sistema, ejecutar archivos, acceder a la c\u00e1mara web y al micr\u00f3fono, abrir URL, ejecutar comandos de shell, y gestionar archivos. Adem\u00e1s, tiene la capacidad de activar y desactivar varias funciones del sistema, como el Control de cuentas de usuario, el Editor del registro, el Administrador de tareas, el Firewall, y puede invocar la Pantalla azul de la muerte (BSOD).", "modified": "2025-10-08T16:18:10.185000", "created": "2025-10-08T16:18:10.185000", "tags": [ "tcticas ta0001", "initial access", "ta0005 defense", "evasion https", "access https", "ta0011 command", "control https", "tcnicas t1566", "phishing https", "t1059 command" ], "references": [ "https://www.virustotal.com/graph/embed/g645521e3a022430987ec4385e72913278e0f22ff08934bb5b52659598c13a370?theme=light", "https://darfe.es/ciberwiki/index.php?title=XWorm" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 98, "FileHash-SHA1": 98, "FileHash-SHA256": 393 }, "indicator_count": 589, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "234 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "68e3fb9b338a54bdd07c1513", "name": "Actividad maliciosa relacionada con XWorm - 06/10/2025", "description": "Keylogging (captura de teclas).\nExfiltraci\u00f3n de archivos.\nFunciones DDoS (ataques distribuidos de denegaci\u00f3n de servicio).\nFuncionalidades de ransomware (puede cifrar archivos en versiones m\u00e1s avanzadas).\nEvasi\u00f3n de antivirus mediante ofuscaci\u00f3n.", "modified": "2025-10-06T17:25:47.406000", "created": "2025-10-06T17:25:47.406000", "tags": [ "tvzpru", "cxbirqgzrg" ], "references": [ "https://darfe.es/ciberwiki/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "melted_ocampo", "id": "346085", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 420, "FileHash-SHA1": 393, "FileHash-SHA256": 393 }, "indicator_count": 1206, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "236 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 } ], "references": [ "https://darfe.es/ciberwiki/", "https://www.virustotal.com/graph/embed/g645521e3a022430987ec4385e72913278e0f22ff08934bb5b52659598c13a370?theme=light", "https://www.virustotal.com/graph/embed/g9aab5840367048deb82c06be580ba0d5144b8f935bbf48d497df2fcd21e286c3?theme=light", "https://darfe.es/ciberwiki/index.php?title=XWorm" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Xworm" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "691796bf3f54aad6397c9382", "name": "ACTIVIDAD MALICIOSA | Relacionada con XWorm 14-11-2025", "description": "XWorm es un troyano de administraci\u00f3n/acceso remoto (RAT) altamente sofisticado y peligroso. Se vende a trav\u00e9s de canales oscuros por $400 y est\u00e1 dise\u00f1ado para otorgar a los ciberdelincuentes acceso y control no autorizados sobre el sistema de la v\u00edctima. Este malware puede robar informaci\u00f3n del sistema, ejecutar archivos, acceder a la c\u00e1mara web y al micr\u00f3fono, abrir URL, ejecutar comandos de shell, y gestionar archivos. Adem\u00e1s, tiene la capacidad de activar y desactivar varias funciones del sistema, como el Control de cuentas de usuario, el Editor del registro, el Administrador de tareas, el Firewall, y puede invocar la Pantalla azul de la muerte (BSOD).", "modified": "2025-11-14T20:53:19.882000", "created": "2025-11-14T20:53:19.882000", "tags": [ "tcticas ta0001", "initial access", "ta0005 defense", "evasion https", "access https", "ta0011 command", "control https", "tcnicas t1566", "phishing https", "t1059 command" ], "references": [ "https://www.virustotal.com/graph/embed/g9aab5840367048deb82c06be580ba0d5144b8f935bbf48d497df2fcd21e286c3?theme=light", "https://darfe.es/ciberwiki/index.php?title=XWorm" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 96, "FileHash-SHA1": 96, "FileHash-SHA256": 326 }, "indicator_count": 518, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "197 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "68e68ec23d0bf10992a991fa", "name": "ACTIVIDAD MALICIOSA | Relacionada con XWorm 08-10-2025", "description": "XWorm es un troyano de administraci\u00f3n/acceso remoto (RAT) altamente sofisticado y peligroso. Se vende a trav\u00e9s de canales oscuros por $400 y est\u00e1 dise\u00f1ado para otorgar a los ciberdelincuentes acceso y control no autorizados sobre el sistema de la v\u00edctima. Este malware puede robar informaci\u00f3n del sistema, ejecutar archivos, acceder a la c\u00e1mara web y al micr\u00f3fono, abrir URL, ejecutar comandos de shell, y gestionar archivos. Adem\u00e1s, tiene la capacidad de activar y desactivar varias funciones del sistema, como el Control de cuentas de usuario, el Editor del registro, el Administrador de tareas, el Firewall, y puede invocar la Pantalla azul de la muerte (BSOD).", "modified": "2025-10-08T16:18:10.185000", "created": "2025-10-08T16:18:10.185000", "tags": [ "tcticas ta0001", "initial access", "ta0005 defense", "evasion https", "access https", "ta0011 command", "control https", "tcnicas t1566", "phishing https", "t1059 command" ], "references": [ "https://www.virustotal.com/graph/embed/g645521e3a022430987ec4385e72913278e0f22ff08934bb5b52659598c13a370?theme=light", "https://darfe.es/ciberwiki/index.php?title=XWorm" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 98, "FileHash-SHA1": 98, "FileHash-SHA256": 393 }, "indicator_count": 589, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "234 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "68e3fb9b338a54bdd07c1513", "name": "Actividad maliciosa relacionada con XWorm - 06/10/2025", "description": "Keylogging (captura de teclas).\nExfiltraci\u00f3n de archivos.\nFunciones DDoS (ataques distribuidos de denegaci\u00f3n de servicio).\nFuncionalidades de ransomware (puede cifrar archivos en versiones m\u00e1s avanzadas).\nEvasi\u00f3n de antivirus mediante ofuscaci\u00f3n.", "modified": "2025-10-06T17:25:47.406000", "created": "2025-10-06T17:25:47.406000", "tags": [ "tvzpru", "cxbirqgzrg" ], "references": [ "https://darfe.es/ciberwiki/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "melted_ocampo", "id": "346085", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 420, "FileHash-SHA1": 393, "FileHash-SHA256": 393 }, "indicator_count": 1206, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "236 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "c45c7bb5fa83ca3e7ae7eac326e8ec00", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "c45c7bb5fa83ca3e7ae7eac326e8ec00", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780203449.1023693 }