MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 439175b5bfaafca117163a9570a900a0e7074dc96ecfa9dc7e9a210090b98cbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 439175b5bfaafca117163a9570a900a0e7074dc96ecfa9dc7e9a210090b98cbd
SHA3-384 hash: 089f8ffe1f4a0dbd89d733479bc5c7ad2a4dbe2a34649c3f23e66f13f549ada730945f73a1415cb3e66529e20ab5290c
SHA1 hash: a185c71fbeaa6b7ff649f2d22d42a4d8b4bf3755
MD5 hash: 9ed5bc630a01dc7b4d73bb580c2177df
humanhash: harry-sweet-pizza-texas
File name:RFQ_Items_list_AL OTHA-20251104_pdf.js
Download: download sample
Signature XWorm
Create hunting rule
File size:239'511 bytes
First seen:2025-11-04 08:33:58 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 3072:RuA7VWBLaKRby1XR52a1NmyGav2ld+AslGvmM7lsX0FIds:RuEWBL3xy1XDj3myGav/AvpXFIds
Threatray 59 similar samples on MalwareBazaar
TLSH T12D34B4BACC8CB49EE2AC395C00776A0750BCCD935BB21A1C6D62DBB5BFD11C0578A746
Magika javascript
Reporter abuse_ch
Tags:js xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6909bac39942f1282ecbe26d
Tags:
obfuscate autorun xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 evasive fingerprint masquerade obfuscated powershell powershell repaired
Link:
https://www.filescan.io/uploads/6909bbc1393eed3f38e317fe/reports/9ea76410-d9c1-4317-bf21-fba4d7c80fe6/overview
Verdict:
Suspicious
Labled as:
JS/Agent.DGI
Link:
https://www.hybrid-analysis.com/sample/439175b5bfaafca117163a9570a900a0e7074dc96ecfa9dc7e9a210090b98cbd
Verdict:
Malicious
File Type:
js
First seen:
2025-11-04T05:16:00Z UTC
Last seen:
2025-11-06T06:14:00Z UTC
Hits:
~1000
Detections:
Trojan.BAT.Agent.sb HEUR:Trojan.BAT.Tesre.gen Trojan.PowerShell.AmsiBypass.sb Backdoor.Agent.TCP.C&C HEUR:Trojan.Script.Generic PDM:Trojan.Win32.Generic Trojan.JS.SAgent.sb HEUR:Trojan.PowerShell.Tesre.sb Trojan-Downloader.JS.Cryptoload.sb Trojan.VBS.SAgent.sb
Link:
https://opentip.kaspersky.com/439175b5bfaafca117163a9570a900a0e7074dc96ecfa9dc7e9a210090b98cbd/results?tab=lookup
Result
Threat name:
SugarDump, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1807611
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Creates processes via WMI
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected SugarDump
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1807611 Sample: RFQ_Items_list_AL OTHA-2025... Startdate: 04/11/2025 Architecture: WINDOWS Score: 100 116 pastebin.com 2->116 118 keyauth.win 2->118 124 Suricata IDS alerts for network traffic 2->124 126 Found malware configuration 2->126 128 Malicious sample detected (through community Yara rule) 2->128 132 21 other signatures 2->132 12 wscript.exe 1 1 2->12         started        16 cmd.exe 1 2->16         started        18 cmd.exe 2->18         started        20 3 other processes 2->20 signatures3 130 Connects to a pastebin service (likely for C&C) 116->130 process4 file5 112 C:\Users\user\AppData\Local\Temp\Orange.bat, ASCII 12->112 dropped 144 Wscript starts Powershell (via cmd or directly) 12->144 146 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->146 148 Suspicious execution chain found 12->148 150 Creates processes via WMI 12->150 22 cmd.exe 1 12->22         started        25 cmd.exe 1 16->25         started        27 conhost.exe 16->27         started        29 cmd.exe 18->29         started        31 conhost.exe 18->31         started        33 cmd.exe 20->33         started        35 cmd.exe 20->35         started        37 cmd.exe 20->37         started        39 3 other processes 20->39 signatures6 process7 signatures8 134 Suspicious powershell command line found 22->134 136 Wscript starts Powershell (via cmd or directly) 22->136 138 Bypasses PowerShell execution policy 22->138 41 cmd.exe 1 22->41         started        43 conhost.exe 22->43         started        45 cmd.exe 1 25->45         started        48 cmd.exe 29->48         started        50 cmd.exe 33->50         started        52 cmd.exe 35->52         started        54 cmd.exe 37->54         started        process9 signatures10 56 cmd.exe 2 41->56         started        152 Suspicious powershell command line found 45->152 154 Wscript starts Powershell (via cmd or directly) 45->154 59 powershell.exe 45->59         started        62 conhost.exe 45->62         started        64 powershell.exe 48->64         started        66 conhost.exe 48->66         started        68 powershell.exe 50->68         started        70 conhost.exe 50->70         started        72 2 other processes 52->72 74 2 other processes 54->74 process11 file12 140 Suspicious powershell command line found 56->140 142 Wscript starts Powershell (via cmd or directly) 56->142 76 powershell.exe 17 32 56->76         started        81 conhost.exe 56->81         started        102 C:\Users\user\AppData\Roaming\...\c25b.bat, ASCII 59->102 dropped 104 C:\Users\user\AppData\Roaming\...\0d55.bat, ASCII 64->104 dropped 106 C:\Users\user\AppData\Roaming\...\5b87.bat, ASCII 68->106 dropped 108 C:\Users\user\AppData\Roaming\...\8f7e.bat, ASCII 72->108 dropped 110 C:\Users\user\AppData\Roaming\...\fc31.bat, ASCII 74->110 dropped signatures13 process14 dnsIp15 120 217.64.148.136, 49699, 49700, 51960 OBE-EUROPEObenetworkEuropeSE Sweden 76->120 122 pastebin.com 172.66.171.73, 443, 49698 CLOUDFLARENETUS United States 76->122 114 C:\Users\user\AppData\Roaming\...\ece5.bat, ASCII 76->114 dropped 156 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 76->156 158 Drops script or batch files to the startup folder 76->158 160 Tries to harvest and steal browser information (history, passwords, etc) 76->160 162 2 other signatures 76->162 83 csc.exe 4 76->83         started        86 csc.exe 3 76->86         started        88 powershell.exe 76->88         started        90 powershell.exe 76->90         started        file16 signatures17 process18 file19 100 C:\Users\user\AppData\...\powershell.exe, PE32 83->100 dropped 92 conhost.exe 83->92         started        94 cvtres.exe 1 83->94         started        96 conhost.exe 86->96         started        98 cvtres.exe 1 86->98         started        process20
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/439175b5bfaafca117163a9570a900a0e7074dc96ecfa9dc7e9a210090b98cbd
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/439175b5bfaafca117163a9570a900a0e7074dc96ecfa9dc7e9a210090b98cbd/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/439175b5bfaafca117163a9570a900a0e7074dc96ecfa9dc7e9a210090b98cbd
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2025-11-04 08:48:11 UTC
File Type:
Text (HTML)
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ioixlnn7vl6kcfywhkkxbkiaudtqotojn3h2txd6tiqqbefzrs6q._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
0ab443fab4801052dad2c86ca316328d520447ad0dc7246c0235e2eef2e97a1d
XWorm
1cbbb5dfc0c192f12c73ffef24f957c47bf36fb0c7c3b47076bac0872fac33a1
XWorm
203d89bb4cc6f43407327ed2c132bbe394cb55f7ff3cd4f84038943df2e0ebf7
XWorm
732975f6429f6127a1927f1a5ebeb2a28b2d64e8b7b2c22df37708ac165074cc
XWorm
b51dece1c0b3a6422d16176ce2397cfcdde099be7700cc45b8c79c30d3727489
XWorm
bbd166e6d916f328c29a4e19a4cb2f686c447b197eb7291def515bc3a63fdda7
XWorm
df427364a3983eeb6defc880fceb46cbd749dbbc730986bbbd053aa35efd7fdb
XWorm
error
XWorm
ffa74f7c6cc8e12559de04e5349533ceff8860cda9851a9af748b797cb23f6d1
XWorm
+ 49 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm collection execution rat trojan
Link:
https://tria.ge/reports/251104-kj7x1sbq2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: JavaScript
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Executes dropped EXE
Badlisted process makes network request
Detect Xworm Payload
Process spawned unexpected child process
Xworm
Xworm family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/439175b5bfaafca117163a9570a900a0e7074dc96ecfa9dc7e9a210090b98cbd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments