MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fcffd5b8f6c1c9aee777ccb7fca8d9306d218ca2ae084a43cb3f370f4dca280. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fcffd5b8f6c1c9aee777ccb7fca8d9306d218ca2ae084a43cb3f370f4dca280
SHA3-384 hash: 4df5629c25bb93af6f4e84c504d0ead23ad474da3c2a99a258cae3a0431f852137265561978858fe04a5478f83daa85b
SHA1 hash: 1b1cf837a791c4a757077501228777eaf48023dd
MD5 hash: d3602ab018e9bafd4de2b8d024a29f7c
humanhash: fifteen-maryland-vermont-apart
File name:d3602ab018e9bafd4de2b8d024a29f7c.js
Download: download sample
Signature XWorm
Create hunting rule
File size:1'113'117 bytes
First seen:2026-03-18 09:46:11 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 192:dNDdMc2jrixTQ6LpA1U0eQLmDyDyty92qyXY42BF3YAM6YfsWKfuMlpiZWu4rA+l:dNDdM20
Threatray 1'525 similar samples on MalwareBazaar
TLSH T118350219F61B0AA0D17F94E2049DBB9BCD5A2119F543203A31E391CEBD279AD12E377C
Magika javascript
Reporter abuse_ch
Tags:js xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ba74b993b644ca466b3f01
Tags:
obfuscate autorun xtreme virus
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
repaired
Link:
https://www.filescan.io/uploads/69ba747f4678eefbc7ae0a20/reports/1cc6ef76-2452-41f4-bd56-92ca30e67c5a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/4fcffd5b8f6c1c9aee777ccb7fca8d9306d218ca2ae084a43cb3f370f4dca280
Result
Gathering data
Verdict:
Malicious
File Type:
js
Link:
https://opentip.kaspersky.com/4fcffd5b8f6c1c9aee777ccb7fca8d9306d218ca2ae084a43cb3f370f4dca280/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1885489
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates processes via WMI
Drops script or batch files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries the IP of a very long domain name
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1885489 Sample: fJXh0hY2xq.js Startdate: 18/03/2026 Architecture: WINDOWS Score: 100 42 bafybeibwz6lzwo6u5gkhp3ydl4te3hl3plfkypox6mnejssqwfrpdsmqoy.ipfs.dweb.link 2->42 44 bafybeibqcivjhwg2msil5g62did64uhtptlf7epidbrat4gexerzfv5mmq.ipfs.dweb.link 2->44 46 8 other IPs or domains 2->46 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 64 17 other signatures 2->64 8 wscript.exe 1 3 2->8         started        12 powershell.exe 14 16 2->12         started        15 wscript.exe 1 2->15         started        17 3 other processes 2->17 signatures3 62 Queries the IP of a very long domain name 44->62 process4 dnsIp5 38 C:\Users\...\fJXh0hY2xq.js:Zone.Identifier, ASCII 8->38 dropped 40 C:\Users\user\AppData\...\fJXh0hY2xq.js, ASCII 8->40 dropped 72 Suspicious powershell command line found 8->72 74 Wscript starts Powershell (via cmd or directly) 8->74 76 Drops script or batch files to the startup folder 8->76 84 2 other signatures 8->84 50 bafybeibqcivjhwg2msil5g62did64uhtptlf7epidbrat4gexerzfv5mmq.ipfs.dweb.link 209.94.90.2, 443, 49703, 49712 PROTOCOLUS United States 12->50 52 bafybeibwz6lzwo6u5gkhp3ydl4te3hl3plfkypox6mnejssqwfrpdsmqoy.ipfs.dweb.link 209.94.90.3, 443, 49713, 49716 PROTOCOLUS United States 12->52 78 Writes to foreign memory regions 12->78 80 Injects a PE file into a foreign processes 12->80 19 MSBuild.exe 1 6 12->19         started        24 conhost.exe 12->24         started        26 powershell.exe 15->26         started        54 127.0.0.1 unknown unknown 17->54 82 Creates processes via WMI 17->82 28 conhost.exe 17->28         started        30 conhost.exe 17->30         started        file6 signatures7 process8 dnsIp9 48 198.23.175.51, 4078, 49714 AS-COLOCROSSINGUS United States 19->48 36 C:\Users\user\AppData\...\XWormClient.exe, PE32 19->36 dropped 66 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->66 68 Writes to foreign memory regions 26->68 70 Injects a PE file into a foreign processes 26->70 32 MSBuild.exe 1 26->32         started        34 conhost.exe 26->34         started        file10 signatures11 process12
Score:
15%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/4fcffd5b8f6c1c9aee777ccb7fca8d9306d218ca2ae084a43cb3f370f4dca280
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fcffd5b8f6c1c9aee777ccb7fca8d9306d218ca2ae084a43cb3f370f4dca280/
Verdict:
Malicious
Threat:
Trojan.Script.Startup
Link:
https://tip.neiki.dev/file/4fcffd5b8f6c1c9aee777ccb7fca8d9306d218ca2ae084a43cb3f370f4dca280
Threat name:
Script-JS.Trojan.ObfPadding
Create hunting rule
Status:
Malicious
First seen:
2026-03-16 10:11:50 UTC
File Type:
Text (JavaScript)
AV detection:
5 of 36 (13.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j7h72w4pnqojv3txptfx7sunsmdneggkflqijjb4wpzxb5g4ukaa._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
0794dde51a3d0c0c712fa764940be7ff12b83e73ffe33ac9c5d0847fc50d9075
XWorm
0f425d11e80b7cf493fb42d4f4866efb68169d3c5b1a90af93ceef9a82649b5f
XWorm
4fc5db02f555a38fe3a0153e1f7d8261fc545a9ac7a2951a4558f5571b20531d
XWorm
e45fdbb2d13cde33ef20e43a38308dca4bbe4718c01268ae960e3e105494923d
XWorm
error
XWorm
f3da246accb9e31bdb4e51187dada28e4c71a927c56adea2333fb9625b1bf7f5
XWorm
+ 1'515 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/260318-lry6hsfv3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Drops startup file
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/4fcffd5b8f6c1c9aee777ccb7fca8d9306d218ca2ae084a43cb3f370f4dca280

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments