MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30d56c8ec53a25a82fec93797c8f7e1bcd4137cedf066cc80ab26027f1204de0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	30d56c8ec53a25a82fec93797c8f7e1bcd4137cedf066cc80ab26027f1204de0
SHA3-384 hash:	46e930a7856851a4ef879f098fc88778bbac9b19375f6ed92c1083d0a91d9755e4d0c7ebf3b270d8f4df887c2d3998aa
SHA1 hash:	cd41bf795f7ddce68322723c070ed7480f5cc0bc
MD5 hash:	a6dfae5ef0f91d04048fe2576830471f
humanhash:	lake-salami-arizona-march
File name:	met-tech_pricing_request_product_samples_drawings_031620260000000_pdf.js
Download:	download sample
Signature	XWorm Create hunting rule
File size:	33'212 bytes
First seen:	2026-03-16 08:10:38 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	192:LFgKkVS+0+R3omBNNXbN+tIwuZ+q49PFgkArxZ+wFGORZ+9F0gYFnjPePeajrBzO:b75vovFMm
TLSH	T146E291B0849321F58BAA7AE0EEB51493F9656271FF2533CFD584B3B98C09C5C41325A7
Magika	javascript
Reporter	lowmal3
Tags:	js xworm

Intelligence

File Origin

# of uploads :

# of downloads :

144

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69b7bb2488c80c01586aaea2

Tags:

n/a

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm base64 evasive fingerprint formbook masquerade obfuscated obfuscated overlay packed powershell repaired

Link:

https://www.filescan.io/uploads/69b7bb232000fc76c3e19677/reports/5a11e5d0-65f9-41ad-924a-73b0c3a5c7c4/overview

Verdict:

Malicious

Labled as:

SVM:TrojanDownloader/JS.MalBehav.gen

Link:

https://www.hybrid-analysis.com/sample/30d56c8ec53a25a82fec93797c8f7e1bcd4137cedf066cc80ab26027f1204de0

Verdict:

Malicious

File Type:

Detections:

Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic

Link:

https://opentip.kaspersky.com/30d56c8ec53a25a82fec93797c8f7e1bcd4137cedf066cc80ab26027f1204de0/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1884100

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Creates processes via WMI

JavaScript source code contains functionality to generate code involving a shell, file or stream

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sigma detected: PowerShell Base64 Encoded IEX Cmdlet

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Download SVG

Score:

19%

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/30d56c8ec53a25a82fec93797c8f7e1bcd4137cedf066cc80ab26027f1204de0

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/30d56c8ec53a25a82fec93797c8f7e1bcd4137cedf066cc80ab26027f1204de0/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/30d56c8ec53a25a82fec93797c8f7e1bcd4137cedf066cc80ab26027f1204de0

Threat name:

Win32.Trojan.Alevaul

Status:

Malicious

First seen:

2026-03-16 08:11:23 UTC

File Type:

Text (JavaScript)

AV detection:

6 of 24 (25.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gdkwzdwfhis2ql7msn4xzd36dpgucn6o34dgzsakwjqcp4jajxqa._file

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm discovery execution rat trojan

Link:

https://tria.ge/reports/260316-j3cesags7z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Detect Xworm Payload

Process spawned unexpected child process

Xworm

Xworm family

Malware Config

C2 Extraction:

unitedclassifiedsourcinginc.duckdns.org:3025

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/30d56c8ec53a25a82fec93797c8f7e1bcd4137cedf066cc80ab26027f1204de0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

js 30d56c8ec53a25a82fec93797c8f7e1bcd4137cedf066cc80ab26027f1204de0

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample