MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47245d2a1c869294356a5fad2cc24bdc89a75799563b7ef81b4b933c6f8a644c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47245d2a1c869294356a5fad2cc24bdc89a75799563b7ef81b4b933c6f8a644c
SHA3-384 hash: 2883f0b179fb96816bc973dc4b426e66d7105f23d23e38351a7842c382fdff7fdaca661928d726f23c529efdbf72a80c
SHA1 hash: 4e41993f8fc1703732d92b24466dd105c9c4e637
MD5 hash: e67cb12c0beddc8df042abc579ccdf0d
humanhash: mexico-steak-asparagus-delta
File name:May_release#00198441783.js
Download: download sample
Signature XWorm
Create hunting rule
File size:508'143 bytes
First seen:2025-05-20 10:30:05 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 384:5rrrrrrrrrrrPrrrrrrrrrrrUrrrrrrrrrrrYrrrrrrrrrrrkrrrrrrrrrrrPrrO:p3KTY
Threatray 127 similar samples on MalwareBazaar
TLSH T142B4262A7AE77E45DC1944145F63223C4CE8273EABE5A2968DC242D73FC58AC5FC58B0
Magika symlinktext
Reporter smica83
Tags:js xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
474
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682c59e92f280a98fb42329c
Tags:
autorun spawn overt sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated persistence powershell
Link:
https://www.filescan.io/uploads/682c59d80de036ed65acba56/reports/592bd7a1-6c6d-4ce4-82de-dc7db1a3a22c/overview
Verdict:
Malicious
Labled as:
SVM:TrojanDownloader/JS.Nemucod
Link:
https://www.hybrid-analysis.com/sample/47245d2a1c869294356a5fad2cc24bdc89a75799563b7ef81b4b933c6f8a644c
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1694843
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected malicious Powershell script
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Found malware configuration
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1694843 Sample: May_release#00198441783.js Startdate: 20/05/2025 Architecture: WINDOWS Score: 100 42 cnbcanalysis.com 2->42 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 12 other signatures 2->60 8 wscript.exe 1 1 2->8         started        11 wscript.exe 1 2->11         started        13 wscript.exe 2->13         started        signatures3 process4 signatures5 62 JScript performs obfuscated calls to suspicious functions 8->62 64 Suspicious powershell command line found 8->64 66 Wscript starts Powershell (via cmd or directly) 8->66 68 3 other signatures 8->68 15 powershell.exe 14 18 8->15         started        20 powershell.exe 15 11->20         started        22 powershell.exe 13->22         started        process6 dnsIp7 46 cnbcanalysis.com 162.241.85.107, 443, 49692 OIS1US United States 15->46 38 C:\ProgramData\Cloud\cloud.ps1, ASCII 15->38 dropped 40 C:\ProgramData\Cloud\cloud.js, ASCII 15->40 dropped 48 Uses schtasks.exe or at.exe to add and modify task schedules 15->48 24 conhost.exe 15->24         started        26 schtasks.exe 1 15->26         started        50 Writes to foreign memory regions 20->50 52 Creates a thread in another existing process (thread injection) 20->52 28 RegSvcs.exe 2 20->28         started        32 conhost.exe 20->32         started        34 RegSvcs.exe 1 22->34         started        36 conhost.exe 22->36         started        file8 signatures9 process10 dnsIp11 44 178.20.208.50, 49695, 7304 HKKFGL-AS-APHKKwaifongGroupLimitedHK Germany 28->44 70 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->70 signatures12
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/47245d2a1c869294356a5fad2cc24bdc89a75799563b7ef81b4b933c6f8a644c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47245d2a1c869294356a5fad2cc24bdc89a75799563b7ef81b4b933c6f8a644c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-20 10:31:35 UTC
File Type:
Text (JavaScript)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i4sf2kq4q2jjinlkl6wszqsl3se2ov4zky5x56a3jojty34kmrga._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
33d5fb4708217397a18bbea3a1e10c07544bb81e642555ff9ae18ffd67c1e436
XWorm
4373ec87c988abcb11a483bc9b6225760464b1929a0e1dee1ffcbdd76c1b242c
XWorm
8048406056b1a1a91b56725c1c0b89e3b8060bf5a45861484a73728d222ccbc2
XWorm
8fa2ab71f2e7c4276167c217778c01dedf71053bf9d4cee5274e8c077ef327dd
XWorm
cfe5641a801f7e3123992589a5543f667d77d86e2880c1163fa61517d4bcfb2c
XWorm
d8e3240539b9d124c081506af59cf87d47b89139e423894063ac9389697b49a2
XWorm
error
XWorm
+ 117 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250520-mkmdtaxry8/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/47245d2a1c869294356a5fad2cc24bdc89a75799563b7ef81b4b933c6f8a644c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments