MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0135b1aed1e0ef32dc906a7d058e6f208c2b08bfd9567f3e6e1acd759439cf35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0135b1aed1e0ef32dc906a7d058e6f208c2b08bfd9567f3e6e1acd759439cf35
SHA3-384 hash: 15b9c5322f0c10020f08594a82a29cda083c9d1f2c1bfc920777e5a38dd29bbc2f0390affccb0364032505dab373c24c
SHA1 hash: 4970bf9745d555b98660fbc9e93f63a5b89436db
MD5 hash: 2c28dc789960bfa76ab1eed0753f9805
humanhash: sink-november-thirteen-nine
File name:a.ps1
Download: download sample
Signature XWorm
Create hunting rule
File size:395 bytes
First seen:2025-03-29 04:51:26 UTC
Last seen:2025-04-05 07:00:58 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12:GjzoIFoqFrJede6USW/Ie0gd3pj0RRg6Xe:Gjzo4oQrJye6JW/P02x0Q6Xe
TLSH T19FE04FDEDF8EDE5792C12CA1ED36B953802875E425B7A98024A7AD0D90F9330CE52079
Magika powershell
Reporter Chamindu_X
Tags:92-255-85-2 booking ClickFix FakeCaptcha ps1 xworm

Intelligence

File Origin
# of uploads :
4
# of downloads :
122
Origin country :
LK LK
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e77f28855e5ec524097d54
Tags:
trojan shell sage
Verdict:
Malicious
Labled as:
HEUR_TrojanDownloader_PowerShell_Agent_gen
Link:
https://www.hybrid-analysis.com/sample/0135b1aed1e0ef32dc906a7d058e6f208c2b08bfd9567f3e6e1acd759439cf35
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1651626
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Compiles code for process injection (via .Net compiler)
Contains functionality to capture screen (.Net source)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Score:
83%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0135b1aed1e0ef32dc906a7d058e6f208c2b08bfd9567f3e6e1acd759439cf35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0135b1aed1e0ef32dc906a7d058e6f208c2b08bfd9567f3e6e1acd759439cf35/
Threat name:
Script.Dropper.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-03-28 20:23:03 UTC
File Type:
Text (Batch)
AV detection:
3 of 24 (12.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ae23dlwr4dxtfxeqnj6qldtpecgcwcf73flh6ptodlgxlfbzz42q._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250329-fhfpxszls6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Blocklisted process makes network request
Downloads MZ/PE file
Malware Config
Dropper Extraction:
http://92.255.85.2/j.exe
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0135b1aed1e0ef32dc906a7d058e6f208c2b08bfd9567f3e6e1acd759439cf35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_Remcos_RAT
Create hunting rule
Author:daniyyell
Description:Detects Remcos RAT payloads and commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

PowerShell (PS) ps1 0135b1aed1e0ef32dc906a7d058e6f208c2b08bfd9567f3e6e1acd759439cf35

(this sample)

XWorm

Executable exe 7ae0d150627061ba95af3187f37c39be2b65adc08cf05b72dfff3a3323241f40

anyrun
any.run
https://app.any.run/tasks/b782a3a1-19a1-4c09-9271-17ca50a31f40
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3480432/
  
Dropping
SHA256 7ae0d150627061ba95af3187f37c39be2b65adc08cf05b72dfff3a3323241f40
  
Dropping
MD5 ceea2d8561e57b333c8fd7543f434a03

Comments