MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 275ec9cfb15d02fb150eafe5e173682ef7497ace5914f25826b428426f9019d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 275ec9cfb15d02fb150eafe5e173682ef7497ace5914f25826b428426f9019d6
SHA3-384 hash: dfbf48c4429add367c796e409d2479704ff107c591f2b5a6042d9d3de94aae83f478ba60f0ccc18e834021541732f763
SHA1 hash: e0cb8a6007626571fd87965a579e074f2189ac24
MD5 hash: af10af0d3835d44b41b0b0e577fef419
humanhash: jig-maryland-victor-six
File name:3.js
Download: download sample
Signature XWorm
Create hunting rule
File size:6'136'957 bytes
First seen:2025-08-29 21:41:39 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 384:h2NgtZPPzexj0V74DkJmW7gYuP7xLD95fh9PMre7o9zUV+M+2FB1AxYApJEkwoF6:c
Threatray 1'657 similar samples on MalwareBazaar
TLSH T1C0564976EC431BA83008A69D914BABDDD6B6663FDC598FD4CD09F923E0BE4BD4230521
Magika javascript
Reporter smica83
Tags:github-com-visage23wr js xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b21e9deb163e0ec1831be8
Tags:
asyncrat autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd cscript dropper evasive lolbin lolbin obfuscated obfuscated
Link:
https://www.filescan.io/uploads/68b21e9c6212e2f74265a9c2/reports/a8a42745-d4cb-4224-b001-3b568522e638/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/275ec9cfb15d02fb150eafe5e173682ef7497ace5914f25826b428426f9019d6
Verdict:
Unknown
File Type:
Link:
https://opentip.kaspersky.com/275ec9cfb15d02fb150eafe5e173682ef7497ace5914f25826b428426f9019d6/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1767955
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Benign windows process drops PE files
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found malware configuration
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Powershell drops PE file
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Sigma detected: Bypass UAC via Fodhelper.exe
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
UAC bypass detected (Fodhelper)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1767955 Sample: 3.js Startdate: 29/08/2025 Architecture: WINDOWS Score: 100 64 fuckrat.store 2->64 66 raw.githubusercontent.com 2->66 68 github.com 2->68 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Yara detected XWorm 2->86 88 14 other signatures 2->88 15 wscript.exe 4 2 2->15         started        19 explorer.exe 2->19         started        21 explorer.exe 2->21         started        signatures3 process4 file5 62 C:\Users\user\AppData\...\tmp_hx3hrvha.js, ASCII 15->62 dropped 74 Benign windows process drops PE files 15->74 76 JScript performs obfuscated calls to suspicious functions 15->76 78 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->78 80 Suspicious execution chain found 15->80 23 wscript.exe 2 15->23         started        signatures6 process7 file8 58 tmp_15c9621f-1bbc-...da-0a5fbfe2d6b1.exe, PE32+ 23->58 dropped 26 tmp_15c9621f-1bbc-4c9b-9fda-0a5fbfe2d6b1.exe 2 23->26         started        process9 signatures10 100 Multi AV Scanner detection for dropped file 26->100 102 UAC bypass detected (Fodhelper) 26->102 29 cmd.exe 2 26->29         started        process11 signatures12 106 Encrypted powershell cmdline option found 29->106 108 Bypasses PowerShell execution policy 29->108 32 fodhelper.exe 12 29->32         started        34 conhost.exe 29->34         started        36 fodhelper.exe 29->36         started        38 fodhelper.exe 29->38         started        process13 process14 40 tmp_15c9621f-1bbc-4c9b-9fda-0a5fbfe2d6b1.exe 32->40         started        process15 42 cmd.exe 1 40->42         started        signatures16 104 Encrypted powershell cmdline option found 42->104 45 powershell.exe 14 25 42->45         started        50 conhost.exe 42->50         started        process17 dnsIp18 70 github.com 140.82.112.3, 443, 49721 GITHUBUS United States 45->70 72 raw.githubusercontent.com 185.199.110.133, 443, 49722 FASTLYUS Netherlands 45->72 60 C:\Users\user\AppData\Local\...\explorer.exe, PE32 45->60 dropped 110 Drops PE files with benign system names 45->110 112 Loading BitLocker PowerShell Module 45->112 114 Powershell drops PE file 45->114 52 explorer.exe 3 45->52         started        file19 signatures20 process21 signatures22 90 Antivirus detection for dropped file 52->90 92 Multi AV Scanner detection for dropped file 52->92 94 Protects its processes via BreakOnTermination flag 52->94 96 2 other signatures 52->96 55 powershell.exe 23 52->55         started        process23 signatures24 98 Loading BitLocker PowerShell Module 55->98
Score:
51%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/275ec9cfb15d02fb150eafe5e173682ef7497ace5914f25826b428426f9019d6
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/275ec9cfb15d02fb150eafe5e173682ef7497ace5914f25826b428426f9019d6/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/275ec9cfb15d02fb150eafe5e173682ef7497ace5914f25826b428426f9019d6
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-29 03:33:56 UTC
File Type:
Text (JavaScript)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e5pmtt5rlubpwfiov7s6c43if33us6wolekpewbgwquee34qdhla._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
496d7e66ce98f06cab49eba51616c85558556a34682d87c824fd52e6a764a2a4
XWorm
8cb185d30039d4a941a79f71cb9c85de8b4092a3ee742633d5177db35e7becbb
XWorm
9695cfa0eee577f79c697f76f36de873ee23690067d1c0e56474e6b3f8c5b5ed
XWorm
error
XWorm
ff53ea407afca08ff7555f895686fb71cc858cfd51725efc6a678c2b202f31f4
XWorm
+ 1'647 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion execution persistence rat trojan
Link:
https://tria.ge/reports/250829-1j6mysztbt/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Executes dropped EXE
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
fuckrat.store:1131
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/275ec9cfb15d02fb150eafe5e173682ef7497ace5914f25826b428426f9019d6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments