MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35ef8cddda57c7c8c680d976e5023b6777a875d3f5a071eb8d3acbaf96fad0e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	35ef8cddda57c7c8c680d976e5023b6777a875d3f5a071eb8d3acbaf96fad0e2
SHA3-384 hash:	abe03ca81465712f8cfac028948ba1f11d278fef83bbe1f20081a73e1228a6e4c9527b5121fdbb820eb27dfa719b411d
SHA1 hash:	cf1cf6344d22f7fd2aebef379bfef6272e177d43
MD5 hash:	7defdb94120685b71e933583ddb94d81
humanhash:	arkansas-gee-queen-mississippi
File name:	Shipping Docs BL___xls.js
Download:	download sample
Signature	XWorm Create hunting rule
File size:	307'925 bytes
First seen:	2025-10-10 13:13:38 UTC
Last seen:	2025-10-10 13:14:44 UTC
File type:	js
MIME type:	text/plain
ssdeep	3072:eUDiV/NySNbC60y6qhttDueg1pX84RGwOd1MjBjUCkVDj61u:eUMNyStC60WhttDzwXdG/1Mt4CkM1u
Threatray	1'062 similar samples on MalwareBazaar
TLSH	T1BB642A29585C79CF3290AB6C18F1F196D01C8E56ECB3061DBC015BE21EAFCE9569339E
Magika	javascript
Reporter	James_inthe_box
Tags:	exe js xworm

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68e906a9f2ca2f143e4104f2

Tags:

n/a

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm base64 evasive fingerprint masquerade obfuscated powershell

Link:

https://www.filescan.io/uploads/68e906ba71883144ef305e5e/reports/1db392aa-54a2-47c6-aa61-f1b5ad218a81/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/35ef8cddda57c7c8c680d976e5023b6777a875d3f5a071eb8d3acbaf96fad0e2

Verdict:

Malicious

File Type:

First seen:

2025-10-10T08:32:00Z UTC

Last seen:

2025-10-12T09:29:00Z UTC

Hits:

~100

Detections:

PDM:Trojan.Win32.Generic Trojan-Downloader.JS.Cryptoload.sb Trojan.VBS.SAgent.sb HEUR:Trojan.Script.Generic Trojan.BAT.Agent.sb Backdoor.MSIL.XWorm.b Backdoor.MSIL.XWorm.a Trojan.PowerShell.AmsiBypass.sb Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.PowerShell.Tesre.sb Backdoor.Agent.TCP.C&C Trojan.Win32.Agent.sb Backdoor.MSIL.Agent.sb HEUR:Trojan.BAT.Tesre.gen

Link:

https://opentip.kaspersky.com/35ef8cddda57c7c8c680d976e5023b6777a875d3f5a071eb8d3acbaf96fad0e2/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/35ef8cddda57c7c8c680d976e5023b6777a875d3f5a071eb8d3acbaf96fad0e2

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/35ef8cddda57c7c8c680d976e5023b6777a875d3f5a071eb8d3acbaf96fad0e2/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/35ef8cddda57c7c8c680d976e5023b6777a875d3f5a071eb8d3acbaf96fad0e2

Threat name:

Win32.Trojan.Znyonm

Status:

Malicious

First seen:

2025-10-10 12:33:00 UTC

File Type:

Text (HTML)

AV detection:

7 of 24 (29.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gxxyzxo2k7d4rrua3f3okar3m532q5ot6wqhd24nhlf27fx22dra._file

Verdict:

malicious

Label(s):

xworm

XWorm

4fdc01f9adfa9a74bd03c27fa804ba5e75942259d2bffdf9392acf8b87fba079

XWorm

78ca4a3aa6a2d53756647b8be5e3c3549a673763f9ef1a62cb43e2eb77a49e43

XWorm

a889d4486a90d6964b86ee97751fa0c10607fcff8823fd31d968a32edece72cf

XWorm

bb61e58f11e979f287a40449ddb0172abbe28c96b2c04a6b3560a3f6d536539d

XWorm

error

XWorm

fdf4b3b369c23a82e39b41a43597e9bed789c4aa3fff2a210e554562c06c3e3c

XWorm

+ 1'052 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm collection discovery execution persistence rat trojan

Link:

https://tria.ge/reports/251010-qgv4bszwbt/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Command and Scripting Interpreter: JavaScript

System Network Configuration Discovery: Internet Connection Discovery

Accesses Microsoft Outlook profiles

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Drops startup file

Executes dropped EXE

Loads dropped DLL

Badlisted process makes network request

Detect Xworm Payload

Process spawned unexpected child process

Xworm

Xworm family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/35ef8cddda57c7c8c680d976e5023b6777a875d3f5a071eb8d3acbaf96fad0e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample