MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 404356dbc85ca00d7d25974a4b7d6bab219b166c060b4d51dd0a34c0cf2b0eeb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	404356dbc85ca00d7d25974a4b7d6bab219b166c060b4d51dd0a34c0cf2b0eeb
SHA3-384 hash:	02504d3cefafdb11aa35cd3ca2f5833e791dda69472014a07c1d669a4112e88a870e29b7740e10e5ff9940b1fbc9393c
SHA1 hash:	133eb1534721d81a0aaf2eface85b054afe3e056
MD5 hash:	a3782b15bac54211d8365e724f2be50f
humanhash:	quiet-kitten-speaker-carpet
File name:	ALL SHIPPING DOC DRAFT BL.JS
Download:	download sample
Signature	XWorm Create hunting rule
File size:	2'941'015 bytes
First seen:	2026-05-22 06:11:10 UTC
Last seen:	2026-05-22 06:13:25 UTC
File type:	js
MIME type:	text/plain
ssdeep	49152:wxedUvyqmx+1tQW6P/j3F3iLVSwVx8GI6zlwnsRem/Zh9l53K123YCFZpEyew8tW:wxedUvyqmx+1tQW6P/jVIV7CGI6zlwsf
TLSH	T1A3D53910532694B1E6ACEB2DD636B620584E200321DAEF1D346E537C7A61F17936FAF3
Magika	txt
Reporter	lowmal3
Tags:	js xworm

Intelligence

File Origin

# of uploads :

# of downloads :

130

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.31320.UNOFFICIAL

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a0ff39d33e785de369caa01

Tags:

virus spawn blic

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug dropper evasive masquerade obfuscated obfuscated packed repaired

Link:

https://www.filescan.io/uploads/6a0ff393861ee596e64582ae/reports/59d8bd84-7678-496d-921b-08ba39971328/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/404356dbc85ca00d7d25974a4b7d6bab219b166c060b4d51dd0a34c0cf2b0eeb

Verdict:

Malicious

File Type:

First seen:

2026-05-17T23:07:00Z UTC

Last seen:

2026-05-24T04:34:00Z UTC

Hits:

~1000

Detections:

Backdoor.Agent.TCP.C&C HEUR:Trojan.Script.Generic HEUR:Trojan-Downloader.Script.Generic Trojan.Win32.Shellcode.sb Trojan-Downloader.JS.Cryptoload.sb PDM:Trojan.Win32.Generic HEUR:Trojan-Dropper.Script.Generic Backdoor.MSIL.XWorm.b

Link:

https://opentip.kaspersky.com/404356dbc85ca00d7d25974a4b7d6bab219b166c060b4d51dd0a34c0cf2b0eeb/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad.troj

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1917500

Signature

Benign windows process drops PE files

Multi AV Scanner detection for submitted file

Sigma detected: WScript or CScript Dropper

Yara detected Lua decrypt and execute

Behaviour

Behavior Graph:

Download SVG

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/404356dbc85ca00d7d25974a4b7d6bab219b166c060b4d51dd0a34c0cf2b0eeb/

Verdict:

Malicious

Threat:

Family.DONUTLOADER

Link:

https://tip.neiki.dev/file/404356dbc85ca00d7d25974a4b7d6bab219b166c060b4d51dd0a34c0cf2b0eeb

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2026-05-18 13:02:42 UTC

File Type:

Binary

AV detection:

8 of 35 (22.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ibbvnw6ilsqa27jfs5few7llvmqzwftmayfu2uo5bi2mbtzlb3vq._file

Verdict:

malicious

Label(s):

xworm

donutloader

Similar samples:

error

XWorm

Result

Malware family:

xworm

Score:

10/10

Tags:

family:donutloader family:xworm collection discovery execution loader persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/260522-gxv9lae15p/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Accesses Microsoft Outlook profiles

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Detect Xworm Payload

Detects DonutLoader

Family: DonutLoader

Family: Xworm

Malware Config

C2 Extraction:

151.242.63.220:7004

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/404356dbc85ca00d7d25974a4b7d6bab219b166c060b4d51dd0a34c0cf2b0eeb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

js 404356dbc85ca00d7d25974a4b7d6bab219b166c060b4d51dd0a34c0cf2b0eeb

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample