MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d5a56bacd1945932f7f6d603e21278aa71276f7d900b8dc8ff3cebc406cfff0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	0d5a56bacd1945932f7f6d603e21278aa71276f7d900b8dc8ff3cebc406cfff0
SHA3-384 hash:	fc9f6fa6f606d56e92c87a6c33e94feb494ec75d99bdaa2056803ec65c103d17149e8b3f0d8085003102b195819ce695
SHA1 hash:	5bb8320d17019bced8cc9edb5d08044b638f0f38
MD5 hash:	eb00e3bde15d9f7deb017c006f963eb5
humanhash:	river-violet-michigan-crazy
File name:	exclusion.ps1
Download:	download sample
Signature	XWorm Create hunting rule
File size:	333 bytes
First seen:	2025-10-01 12:08:35 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	6:IPeGgdEYwdqGx4ZJ+DlbdoOLNKoKvATbvtKvsL3Lh8JxWR0HCWjeGgdEYATaKMFW:ISu7wGx4ZCHoLoKYTbtKqGtHHeu1TnMI
Threatray	101 similar samples on MalwareBazaar
TLSH	T1DCE02C29220243A0C7D02AC18432020BB0AFD0AC002D1E2FA0AC58293442B922FEFECA
Magika	powershell
Reporter	JAMESWT_WT
Tags:	github-com--robertoaguilarfields-blip ps1 xworm

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68dd19fc7d643f33eab916fc

Tags:

agenttesla shell spawn msil

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmstp control dropper fingerprint lolbin reconnaissance

Link:

https://www.filescan.io/uploads/68dd1a10674d5fd6aa12659a/reports/ac6849f1-71f6-4e1a-b935-c594e274963d/overview

Verdict:

Suspicious

Labled as:

TrojanDownloader/PS.Agent

Link:

https://www.hybrid-analysis.com/sample/0d5a56bacd1945932f7f6d603e21278aa71276f7d900b8dc8ff3cebc406cfff0

Verdict:

Malicious

File Type:

ps1

First seen:

2025-10-01T15:20:00Z UTC

Last seen:

2025-10-02T06:45:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/0d5a56bacd1945932f7f6d603e21278aa71276f7d900b8dc8ff3cebc406cfff0/results?tab=lookup

Score:

58%

Verdict:

Susipicious

File Type:

SCRIPT

Link:

https://malprob.io/report/0d5a56bacd1945932f7f6d603e21278aa71276f7d900b8dc8ff3cebc406cfff0

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0d5a56bacd1945932f7f6d603e21278aa71276f7d900b8dc8ff3cebc406cfff0/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bvnfnowndfczgl37nvqd4ijhrktre5xx3ealrxep6phlyqdm77ya._file

Verdict:

malicious

Label(s):

xworm

XWorm

899f59db7e0fb9731002fb1922785bc217ebb1f8183f30e3a2d2945620e99902

XWorm

9d31546ad6c509012ae3de9eb71f2e49bef7cb89c91d929f03b444762e6bc0ae

XWorm

e036bb5441416bcd7ba4b93cdbec47d1e9e76fb3470834b73521a811cfacf5d2

XWorm

error

XWorm

ff01cac434318c68a1a8f54d58e4963f69d8c5ebaa7847c915363067df0c3f5f

XWorm

+ 91 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm execution persistence rat trojan

Link:

https://tria.ge/reports/251001-pbp5fstyez/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Drops file in Windows directory

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Executes dropped EXE

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Detect Xworm Payload

Xworm

Xworm family

Malware Config

C2 Extraction:

resources-formerly.gl.at.ply.gg:43317
:2121

Dropper Extraction:

https://github.com/robertoaguilarfields-blip/my-proyecto/raw/refs/heads/main/injection.exe

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0d5a56bacd1945932f7f6d603e21278aa71276f7d900b8dc8ff3cebc406cfff0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample