MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09eb254ca162965a3722fd345476cbbacbd46e7d6d27632c4ce8ae614c961a2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09eb254ca162965a3722fd345476cbbacbd46e7d6d27632c4ce8ae614c961a2d
SHA3-384 hash: cfae82a3c098746b7aea84fc6680409348446d84787f701bb57c5e2d268bdf5e265999774454006fd821ea60f42714bf
SHA1 hash: 193859cf2accf1f34346bc910f63495c5bcf8e4f
MD5 hash: 9ea320c8f69be615efba4a3035fb83cf
humanhash: mars-mobile-arkansas-massachusetts
File name:RFQ#X05-216 FAST.JS
Download: download sample
Signature XWorm
Create hunting rule
File size:2'569'921 bytes
First seen:2026-06-23 08:01:34 UTC
Last seen:2026-06-23 10:14:29 UTC
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 49152:9StNyhb+TqIHrd3Oq6vCABXF24g2umRVQGfFjfH8DL0foMwtTzaigkxd2Pgo5tw0:8NyhWrdezzV3g29RVbfhf80fo9tTzaiK
Threatray 410 similar samples on MalwareBazaar
TLSH T17BC5065087A4A076766CE36DD437AE30480E2003A5DADF0D346EE718B689E8B579DDF3
Magika javascript
Reporter abuse_ch
Tags:js xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.31320.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3a3e031548daf709f91419
Tags:
ransomware sage blic
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug base64 dropper evasive obfuscated obfuscated packed repaired
Link:
https://www.filescan.io/uploads/6a3a3da590632a45f7351622/reports/92477709-6173-4671-90cf-685fc2512f59/overview
Verdict:
Malicious
Labled as:
JS/TrojanDropper.Agent
Link:
https://www.hybrid-analysis.com/sample/09eb254ca162965a3722fd345476cbbacbd46e7d6d27632c4ce8ae614c961a2d
Verdict:
Malicious
File Type:
js
First seen:
2026-06-23T02:02:00Z UTC
Last seen:
2026-06-23T04:55:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/09eb254ca162965a3722fd345476cbbacbd46e7d6d27632c4ce8ae614c961a2d/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1932428
Signature
AI detected malicious Powershell script
Benign windows process drops PE files
Bypasses PowerShell execution policy
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Found API chain indicative of debugger detection
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Suspicious WerFault Winsock library load
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1932428 Sample: RFQ#X05-216 FAST.JS.js Startdate: 23/06/2026 Architecture: WINDOWS Score: 100 86 mr-b01.tm-azurefd.net 2->86 88 keyauth.win 2->88 90 casoneroutegold-prod-bggfgca0dkaag8a8.b01.azurefd.net 2->90 94 Suricata IDS alerts for network traffic 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 Sigma detected: WScript or CScript Dropper 2->98 100 5 other signatures 2->100 11 wscript.exe 1 3 2->11         started        15 XWormClient.exe 1 2->15         started        17 XWormClient.exe 2->17         started        signatures3 process4 file5 78 C:\Users\user\...behaviorgraphCELSICVFTTDYTQJ.PIF, PE32 11->78 dropped 80 C:\Users\user\...behaviorgraphCELSICVFTTDYTQJ.ttf, ASCII 11->80 dropped 110 Benign windows process drops PE files 11->110 112 JScript performs obfuscated calls to suspicious functions 11->112 114 Drops PE files to the document folder of the user 11->114 118 4 other signatures 11->118 19 GCELSICVFTTDYTQJ.PIF 7 472 11->19         started        116 Found API chain indicative of debugger detection 15->116 24 conhost.exe 15->24         started        26 conhost.exe 17->26         started        signatures6 process7 dnsIp8 92 94.154.32.52, 49704, 49705, 7004 STELLARGROUPSASFR France 19->92 68 C:\Users\user\AppData\...\XWormClient.exe, PE32 19->68 dropped 70 C:\Users\user\AppData\...\main.exe (copy), PE32+ 19->70 dropped 72 C:\Users\user\AppData\Local\Temp\lgctmz.JS, Unicode 19->72 dropped 74 118 other files (1 malicious) 19->74 dropped 102 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->102 104 Encrypted powershell cmdline option found 19->104 106 Bypasses PowerShell execution policy 19->106 108 2 other signatures 19->108 28 powershell.exe 19->28         started        32 WerFault.exe 19->32         started        35 wscript.exe 1 19->35         started        37 conhost.exe 19->37         started        file9 signatures10 process11 dnsIp12 82 C:\Users\user\AppData\...\v5bkfnud.cmdline, Unicode 28->82 dropped 120 Suspicious powershell command line found 28->120 39 powershell.exe 28->39         started        41 csc.exe 28->41         started        44 conhost.exe 28->44         started        84 mr-b01.tm-azurefd.net 150.171.110.210 MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS United States 32->84 122 Suspicious WerFault Winsock library load 32->122 124 Windows Scripting host queries suspicious COM object (likely to drop second stage) 35->124 file13 signatures14 process15 file16 46 main.exe 39->46         started        49 csc.exe 39->49         started        52 conhost.exe 39->52         started        76 C:\Users\user\AppData\Local\...\v5bkfnud.dll, PE32 41->76 dropped 54 cvtres.exe 41->54         started        process17 file18 126 Tries to harvest and steal browser information (history, passwords, etc) 46->126 56 conhost.exe 46->56         started        58 taskkill.exe 46->58         started        60 taskkill.exe 46->60         started        62 taskkill.exe 46->62         started        66 C:\Users\user\AppData\Local\...\th33zbh4.dll, PE32 49->66 dropped 64 cvtres.exe 49->64         started        signatures19 process20
Score:
95%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/09eb254ca162965a3722fd345476cbbacbd46e7d6d27632c4ce8ae614c961a2d
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09eb254ca162965a3722fd345476cbbacbd46e7d6d27632c4ce8ae614c961a2d/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/09eb254ca162965a3722fd345476cbbacbd46e7d6d27632c4ce8ae614c961a2d
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bhvsktfbmklfunzc7u2fi5wlxlf5i3t5nutwglcm5cxgctewdiwq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
153a492ed524469bc8fd9a9fcd4d0ec3215caa4b0bb1e34bd779fad17271b56a
XWorm
30ded8132af61b659fed8f7cb246ac33ae92821241d14a427a53521b331df877
XWorm
6f8c26cc1096a3d10169efc5a2eba3f0370b905b3322b839e9af3bcbad540748
XWorm
8be9560f26392b4e905203d1464ab7e6bb17c0091b3a346fa443867b6b9d8e41
XWorm
8dffead0450847a53d2c7d585aa2150acc44a4813ecbd31f0e7f6c61d7b08c05
XWorm
b271d12f4da306da079d7592f4611ffbd1f4c0a10f62031fc1d96a259728f96d
XWorm
be4308b1266c148eb7c778aa68d58dffb1350aa556d7bd58d8ff3a0d2ad449fa
XWorm
d15248555e7a2d9c279d219e6587a74fca9c25720194512a2e4b0757f7a63219
XWorm
dc12faa460faab18a12d8ac33fb3a3a96c95232cff2f124df15300475cc20486
XWorm
error
XWorm
fa74415147a3f022e754f3450a8d25f9ee01d54ed29c9f882c4c321f09a484bf
XWorm
+ 400 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm collection discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/260623-jxm94abw3w/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Detect Xworm Payload
Family: Xworm
Malware Config
C2 Extraction:
94.154.32.52:7004
45.88.91.5:7004
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/09eb254ca162965a3722fd345476cbbacbd46e7d6d27632c4ce8ae614c961a2d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments