MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19ba6881b1e82fa63c945ded965dc247f291d64eef58f6814e232f1422a0bb62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19ba6881b1e82fa63c945ded965dc247f291d64eef58f6814e232f1422a0bb62
SHA3-384 hash: e9e8705074c8247255c4045dfb95ae73fcaf4d17b145c8502ed92dda2131b17ba38d7594d70953fe414ef801b83207aa
SHA1 hash: 1d111aca994e700b4f500ff6b9949f246cbc6cbd
MD5 hash: ef0702857283b79a38fe26cbe501fab9
humanhash: nevada-green-eight-august
File name:Artículos enumerados.js
Download: download sample
Signature XWorm
Create hunting rule
File size:2'515 bytes
First seen:2025-04-25 08:34:58 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 48:qbFpbF1bFObFfbFUmtbFVbFVbF5bF7bFKbFKbF5bFEbFmbFVbFAbFnbFAbFAbFKl:gvnWlhbbP1OOPEKbQxQQOrOz3bnnRc39
Threatray 58 similar samples on MalwareBazaar
TLSH T1B7510A73F2899D21DE8075359F74D291B18B9A0A2E0914BD612C93C40DB5C8FEFAC4E6
Magika javascript
Reporter abuse_ch
Tags:js xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
476
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.3744.7669.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680b4a003d067f8483992f36
Tags:
obfuscate autorun xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/680b493f218c4a98ade1958f/reports/93827d30-dbfc-4046-a320-0bb8ab31810d/overview
Verdict:
Malicious
Labled as:
JS/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/19ba6881b1e82fa63c945ded965dc247f291d64eef58f6814e232f1422a0bb62
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1673932
Signature
Connects to a pastebin service (likely for C&C)
Found suspicious powershell code related to unpacking or dynamic code loading
Found Tor onion address
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19ba6881b1e82fa63c945ded965dc247f291d64eef58f6814e232f1422a0bb62/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dg5granr5ax2mpeulxwzmxoci7zjdvso55mpnakoemxriivaxnra._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
17b8ed542953af11ee9a7a2eb5403cdd3e1735d581f744793755053c468a5d3b
XWorm
471319aad8312f3f5da24f6366c3fd68698cfcd2b19db31d2209f14212760296
XWorm
7c0946cd8a228f35db68a9bd702e283a3ab9f41113bede7ed206e9af5f824c9e
XWorm
9ec800488905166dc740c5c7513eb39d49c9a65ae6981b5df117fba7e3266025
XWorm
a949f980d1d067a05f7f72bb34b83ac0a0c782607d8f79d27e78bed78327761f
XWorm
ad29a2fad9f4154afda4141b28b5dad16a72a4babd963ce73fc5bee151259b32
XWorm
b0f580611f79b3506b8ffcb745951d7de5811d3f91261d1fc08b247c32649688
XWorm
dff785934fc4c39f05e39e8abde6a033c81ede6d0435d99d7477c78b2ef2f50d
XWorm
e45b310301004cf4ea3e855aae0ff6ba2e78b1fe8e99b90c8cb553881e410d20
XWorm
error
XWorm
+ 48 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat trojan
Link:
https://tria.ge/reports/250425-kg2yzswjv4/
Behaviour
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
jerrytech.duckdns.org:8078
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
XWorm
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/19ba6881b1e82fa63c945ded965dc247f291d64eef58f6814e232f1422a0bb62

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments