MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b79f7b592b36bc59710bd33e383512f6b4a608e526322ea7434e5f0d99d8d42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b79f7b592b36bc59710bd33e383512f6b4a608e526322ea7434e5f0d99d8d42
SHA3-384 hash: db361de3347caf44a6abeaf2960eb82de1ce9c3624fa01e5ca87e69e5aac588493e0bb3bcf56743d841673588a5f2549
SHA1 hash: 64ec37b1781b3ffc9722b8b8226c14cfb2776560
MD5 hash: b1b44b3b2bf209a0fbc8bbd82f0235c3
humanhash: mobile-blossom-early-thirteen
File name:Legal Notice for Outstanding Invoice.js
Download: download sample
Signature XWorm
Create hunting rule
File size:272'863 bytes
First seen:2025-11-16 17:03:21 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:bmkeLtkBNBCf2o3i9fH4AzaiYmotAj5CSYrVqvJbOMb9fFJfMq:bmT69CO42AAP9fFZ
Threatray 95 similar samples on MalwareBazaar
TLSH T15944CA39E710259D7ADA31A931347F1F42A808FF87338DE8483CF2DD456878985AB6D6
Magika javascript
Reporter abuse_ch
Tags:js xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691a0417434cd67b17c22623
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 evasive fingerprint masquerade obfuscated powershell powershell repaired
Link:
https://www.filescan.io/uploads/691a0419a130a437f88f00df/reports/aa235d4a-eb8b-482c-9bf5-bf632aa33c23/overview
Verdict:
Suspicious
Labled as:
Generik.CGQFFZK trojan
Link:
https://www.hybrid-analysis.com/sample/3b79f7b592b36bc59710bd33e383512f6b4a608e526322ea7434e5f0d99d8d42
Verdict:
Malicious
File Type:
js
First seen:
2025-11-15T06:53:00Z UTC
Last seen:
2025-11-16T16:35:00Z UTC
Hits:
~10
Detections:
Trojan.BAT.Agent.sb Backdoor.Agent.TCP.C&C Trojan-Downloader.JS.Cryptoload.sb Trojan.VBS.SAgent.sb PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Tesre.gen Trojan.PowerShell.AmsiBypass.sb Trojan.JS.SAgent.sb HEUR:Trojan.PowerShell.Tesre.sb HEUR:Trojan.Script.SAgent.gen
Link:
https://opentip.kaspersky.com/3b79f7b592b36bc59710bd33e383512f6b4a608e526322ea7434e5f0d99d8d42/results?tab=lookup
Result
Threat name:
AveMaria, Phantom stealer, Strela Steale
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1814942
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates processes via WMI
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Powershell drops PE file
Powershell is started from unusual location (likely to bypass HIPS)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Renames powershell.exe to bypass HIPS
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AveMaria stealer
Yara detected Costura Assembly Loader
Yara detected Phantom stealer
Yara detected Powershell decode and execute
Yara detected Strela Stealer
Yara detected Telegram RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1814942 Sample: Legal Notice for Outstandin... Startdate: 16/11/2025 Architecture: WINDOWS Score: 100 76 api.telegram.org 2->76 78 prod.classify-client.prod.webservices.mozgcp.net 2->78 80 2 other IPs or domains 2->80 96 Suricata IDS alerts for network traffic 2->96 98 Found malware configuration 2->98 100 Malicious sample detected (through community Yara rule) 2->100 104 26 other signatures 2->104 13 wscript.exe 1 1 2->13         started        16 powershell.exe 2->16         started        18 powershell.exe 2->18         started        20 svchost.exe 1 1 2->20         started        signatures3 102 Uses the Telegram API (likely for C&C communication) 76->102 process4 dnsIp5 124 Wscript starts Powershell (via cmd or directly) 13->124 126 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->126 128 Suspicious execution chain found 13->128 130 Creates processes via WMI 13->130 23 cmd.exe 1 13->23         started        132 Powershell is started from unusual location (likely to bypass HIPS) 16->132 134 Reads the Security eventlog 16->134 136 Reads the System eventlog 16->136 26 conhost.exe 16->26         started        28 conhost.exe 18->28         started        82 127.0.0.1 unknown unknown 20->82 signatures6 process7 signatures8 106 Suspicious powershell command line found 23->106 108 Wscript starts Powershell (via cmd or directly) 23->108 110 Bypasses PowerShell execution policy 23->110 30 cmd.exe 1 23->30         started        32 conhost.exe 23->32         started        process9 process10 34 cmd.exe 2 30->34         started        signatures11 92 Suspicious powershell command line found 34->92 94 Wscript starts Powershell (via cmd or directly) 34->94 37 powershell.exe 27 45 34->37         started        42 conhost.exe 34->42         started        process12 dnsIp13 84 103.83.86.27, 1212, 49685, 49691 GELEXIY-AS-INGelexiyCabNetIN India 37->84 86 api.telegram.org 149.154.167.220, 443, 49684 TELEGRAMRU United Kingdom 37->86 88 icanhazip.com 104.16.184.241 CLOUDFLARENETUS United States 37->88 70 C:\Users\user\AppData\...\powershell.exe, PE32+ 37->70 dropped 72 C:\Users\user\AppData\...\XWormClient.exe, PE32+ 37->72 dropped 74 C:\Users\user\AppData\...\XWormClient.lnk, MS 37->74 dropped 112 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->112 114 Found many strings related to Crypto-Wallets (likely being stolen) 37->114 116 Creates autostart registry keys with suspicious values (likely registry only malware) 37->116 118 9 other signatures 37->118 44 firefox.exe 1 37->44         started        46 msedge.exe 37->46         started        49 csc.exe 4 37->49         started        52 3 other processes 37->52 file14 signatures15 process16 file17 54 firefox.exe 3 51 44->54         started        138 Writes to foreign memory regions 46->138 58 msedge.exe 46->58         started        68 C:\Users\user\AppData\...\powershell.exe, PE32 49->68 dropped 60 conhost.exe 49->60         started        62 cvtres.exe 1 49->62         started        signatures18 process19 dnsIp20 90 prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 GOOGLEUS United States 54->90 120 Monitors registry run keys for changes 54->120 122 Installs a global keyboard hook 54->122 64 firefox.exe 54->64         started        66 firefox.exe 54->66         started        signatures21 process22
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/3b79f7b592b36bc59710bd33e383512f6b4a608e526322ea7434e5f0d99d8d42
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b79f7b592b36bc59710bd33e383512f6b4a608e526322ea7434e5f0d99d8d42/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/3b79f7b592b36bc59710bd33e383512f6b4a608e526322ea7434e5f0d99d8d42
Threat name:
Script-JS.Backdoor.Xworm
Create hunting rule
Status:
Suspicious
First seen:
2025-11-15 14:34:02 UTC
File Type:
Text (Batch)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hn47pnmswnv4lfyqxuz6ha2rf5vuuyeokjrsf2tugts7bwm5rvba._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
4fc5db02f555a38fe3a0153e1f7d8261fc545a9ac7a2951a4558f5571b20531d
XWorm
99fa7aa6955981c6018c0da6d71164a00f53b13ae0aa78597aed99524aa7b40d
XWorm
9eee104aa1ddc7ab9a4a2e1a9f6020bd01d0f19bfcbeddbae332b1f9b4439c64
XWorm
b28e9143b0145815895234c4821a0ae599d81ac56dc9910658c010f5f1ae7b13
XWorm
bc4a510046a3fe5f115e3087cb40fd0789f0f0cec4eef02d9c0e6d4930753ed7
XWorm
d436b01ea1ce184f3e4e3e2ff3cfd4841f21e5008c6c827a2342c69711eae8c5
XWorm
e7c60c0cc05617a16a7178aec3e120731814d2f62810dbea204e16e5f39fb29c
XWorm
error
XWorm
f4073f71a9d0616905a018e6f42c60530ffaad1cba3f1057d3f47b82fa3f90e5
XWorm
+ 85 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/251116-vld3tsgj71/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: PowerShell
Drops startup file
Badlisted process makes network request
Detect Xworm Payload
Process spawned unexpected child process
Xworm
Xworm family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b79f7b592b36bc59710bd33e383512f6b4a608e526322ea7434e5f0d99d8d42

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments