MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ebbe5b13be82a663ebb67d3f3a931e0a8277d262b3fba9085a5a9203981b503. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ebbe5b13be82a663ebb67d3f3a931e0a8277d262b3fba9085a5a9203981b503
SHA3-384 hash: 8b371a1ebb86dc294d3ed7e2e68667831f33cc49c33ceb2657b96d9861a33c697b240f2dd3608c122ad32af275aefc82
SHA1 hash: 17d0508507b7cae663ce18b50a5240d036f3c521
MD5 hash: 48defe7c358e8f4430b4fdac65725686
humanhash: jupiter-robert-vegan-oregon
File name:Samples_PO-ORDER_Request_Quotation_1005_(40FT)_2025_xls10050120262500000000000000000000000000000000000000000000000.lnk
Download: download sample
Signature XWorm
Create hunting rule
File size:2'322 bytes
First seen:2026-01-26 13:22:11 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8Hp/BHYVKVWO+/CWeQWKVvyAoqr1UfpjAUfR+/E4I0aHZDD:8HR5a6QlVvyAoq5jyAITDD
Threatray 2 similar samples on MalwareBazaar
TLSH T19541F1101BE50318E6F39B79A8BAB21285767855EE72CF8E0250618C6471520F5B6F3B
Magika lnk
Reporter lowmal3
Tags:lnk xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
50
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
LNK
Details
LNK
a command line and any observed urls
Link:
https://research.acce.ciphertechsolutions.com/results/fdf414d9-157a-4be5-8b05-395171627ed8/
Detection(s):
SecuriteInfo.com.VBS.Obfus-101.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.LNK.PowerShell.Download-1.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.26479.PshHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADaypshell.20231121.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69776a976fa3eed1652f1d6f
Tags:
ransomware shell sage
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/1ebbe5b13be82a663ebb67d3f3a931e0a8277d262b3fba9085a5a9203981b503/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autorun base64 evasive masquerade obfuscated powershell powershell
Link:
https://www.filescan.io/uploads/69776a94f3c1b7b1fbdcee59/reports/149358fd-922b-474b-85aa-62b2b6fb7c13/overview
Verdict:
Malicious
Labled as:
Trojan.PowerShell.LNK.Generic
Link:
https://www.hybrid-analysis.com/sample/1ebbe5b13be82a663ebb67d3f3a931e0a8277d262b3fba9085a5a9203981b503
Verdict:
Malicious
File Type:
lnk
First seen:
2026-01-26T07:20:00Z UTC
Last seen:
2026-01-28T08:19:00Z UTC
Hits:
~1000
Detections:
Trojan-Downloader.SLoad.TCP.ServerRequest Trojan.JS.SAgent.sb Trojan.WinLNK.Agent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic Trojan-Downloader.PowerShell.NanoShield.sb PDM:Trojan.Win32.Generic Trojan.Win32.Agent.sb HEUR:Trojan-Downloader.WinLNK.Powedon.a HEUR:Trojan.WinLNK.Agent.gen HEUR:Trojan.Multi.Powedon.a
Link:
https://opentip.kaspersky.com/1ebbe5b13be82a663ebb67d3f3a931e0a8277d262b3fba9085a5a9203981b503/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1857596
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to log keystrokes (.Net Source)
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1857596 Sample: equest_Quotation_1005_(40FT... Startdate: 26/01/2026 Architecture: WINDOWS Score: 100 62 xxblessingsbreakthroughs.duckdns.org 2->62 64 modaaura.store 2->64 66 2 other IPs or domains 2->66 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 86 25 other signatures 2->86 10 powershell.exe 17 31 2->10         started        15 svchost.exe 2->15         started        17 svchost.exe 2->17         started        19 6 other processes 2->19 signatures3 84 Uses dynamic DNS services 62->84 process4 dnsIp5 70 grabfull.store 216.106.180.52, 443, 49687, 49697 STS-TELECOM-AS-1US United States 10->70 56 C:\Users\user\AppData\...\tmpF698.tmp.vbs, ASCII 10->56 dropped 100 Suspicious execution chain found 10->100 102 Loading BitLocker PowerShell Module 10->102 21 wscript.exe 1 10->21         started        24 conhost.exe 1 10->24         started        104 Changes security center settings (notifications, updates, antivirus, firewall) 15->104 26 MpCmdRun.exe 15->26         started        28 conhost.exe 17->28         started        30 conhost.exe 19->30         started        file6 signatures7 process8 signatures9 88 Windows shortcut file (LNK) starts blacklisted processes 21->88 90 Suspicious powershell command line found 21->90 92 Wscript starts Powershell (via cmd or directly) 21->92 94 2 other signatures 21->94 32 powershell.exe 24 21->32         started        37 conhost.exe 26->37         started        process10 dnsIp11 58 modaaura.store 104.21.53.104, 443, 49696 CLOUDFLARENETUS United States 32->58 60 blackmore.twilightparadox.com 185.122.171.32, 49695, 80 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 32->60 50 C:\Users\user\AppData\...\krwnfbrm.cmdline, Unicode 32->50 dropped 72 Writes to foreign memory regions 32->72 74 Modifies the context of a thread in another process (thread injection) 32->74 76 Injects a PE file into a foreign processes 32->76 39 RegAsm.exe 32->39         started        44 csc.exe 3 32->44         started        46 conhost.exe 32->46         started        file12 signatures13 process14 dnsIp15 68 xxblessingsbreakthroughs.duckdns.org 185.167.61.11, 3025, 49698 INETLTDTR Turkey 39->68 52 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 39->52 dropped 96 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->96 98 Drops PE files with benign system names 39->98 54 C:\Users\user\AppData\Local\...\krwnfbrm.dll, PE32 44->54 dropped 48 cvtres.exe 44->48         started        file16 signatures17 process18
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ebbe5b13be82a663ebb67d3f3a931e0a8277d262b3fba9085a5a9203981b503/
Verdict:
Malicious
Threat:
Family.REVERSELOADER
Link:
https://tip.neiki.dev/file/1ebbe5b13be82a663ebb67d3f3a931e0a8277d262b3fba9085a5a9203981b503
Threat name:
Shortcut.Backdoor.Xworm
Create hunting rule
Status:
Suspicious
First seen:
2026-01-26 13:22:39 UTC
File Type:
Binary
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d256lmj35avgmpv3m7j7hkjr4cuco7jgfm73veefuwusaombwubq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
761304b05b62edeb96840c120a53d44f9af6231866a9dc01dadcad3643f0231f
XWorm
a21042691ca3daa975ce1a24fba6115f2d762eef39cbaffd4245d582d286ea84
XWorm
error
XWorm
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/260126-qpclysay3b/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1ebbe5b13be8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ebbe5b13be82a663ebb67d3f3a931e0a8277d262b3fba9085a5a9203981b503

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious
Rule name:SUSP_LNK_SuspiciousCommands
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects LNK file with suspicious content

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Shortcut (lnk) lnk 1ebbe5b13be82a663ebb67d3f3a931e0a8277d262b3fba9085a5a9203981b503

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments