MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fecb0662c4acd463645475e4efca2a14f4afa0960f34cdfd3e50346005efd83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fecb0662c4acd463645475e4efca2a14f4afa0960f34cdfd3e50346005efd83
SHA3-384 hash: 9c954d27f5da2aebe2c2af1de769cf7ce4b3753c9d3229f24777f26c41619d19d5a9771e47483448f2f0a3974910bb97
SHA1 hash: b496e893c8c58f02bd230ffd5f63d00929eeb095
MD5 hash: e11e319708d879649473a7b5ffe12f7c
humanhash: neptune-tennessee-winner-georgia
File name:Awb_shipping_documents_booking reference_bill_of_Lading_etd_eta_pdf.js
Download: download sample
Signature XWorm
Create hunting rule
File size:97'786 bytes
First seen:2025-04-18 16:55:15 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 1536:4ha4baF59glFhrkbmEKFfM9xb2rXkF5yA1M1odW/a9BccxaNararPjV7r2suqgcV:4C9IkX2rXkvLe14z9vrSPjIkwE0vEN
Threatray 1'615 similar samples on MalwareBazaar
TLSH T159A3E77DEBF9EDF0036675D48A9F3B3A049D3B8361770A0EA38CF9376454682966140E
Magika javascript
Reporter abuse_ch
Tags:js xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
467
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.31726.5158.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68028a53280f5f89a0d17a70
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade obfuscated
Link:
https://www.filescan.io/uploads/68028407e9c1e257979cfb46/reports/11a0ea1f-4fd5-4338-97b1-10df75e63c7f/overview
Verdict:
Malicious
Labled as:
HEUR_Trojan_Script_Generic
Link:
https://www.hybrid-analysis.com/sample/4fecb0662c4acd463645475e4efca2a14f4afa0960f34cdfd3e50346005efd83
Result
Threat name:
Batch Injector, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1668600
Signature
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Batch Injector
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1668600 Sample: Awb_shipping_documents_book... Startdate: 18/04/2025 Architecture: WINDOWS Score: 100 85 maxbusinessworld.duckdns.org 2->85 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 Antivirus detection for URL or domain 2->93 97 18 other signatures 2->97 9 wscript.exe 1 2 2->9         started        13 cmd.exe 1 2->13         started        15 cmd.exe 1 2->15         started        17 6 other processes 2->17 signatures3 95 Uses dynamic DNS services 85->95 process4 file5 65 C:\Users\user\AppData\...\czrdnfigmtmsxic.bat, ASCII 9->65 dropped 109 JScript performs obfuscated calls to suspicious functions 9->109 111 Wscript starts Powershell (via cmd or directly) 9->111 113 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->113 115 Suspicious execution chain found 9->115 19 cmd.exe 1 9->19         started        22 cmd.exe 1 13->22         started        24 conhost.exe 13->24         started        26 cmd.exe 1 15->26         started        28 conhost.exe 15->28         started        30 cmd.exe 1 17->30         started        32 cmd.exe 1 17->32         started        34 cmd.exe 1 17->34         started        36 9 other processes 17->36 signatures6 process7 signatures8 99 Suspicious powershell command line found 19->99 101 Wscript starts Powershell (via cmd or directly) 19->101 103 Bypasses PowerShell execution policy 19->103 38 cmd.exe 2 19->38         started        41 conhost.exe 19->41         started        43 powershell.exe 22->43         started        46 conhost.exe 22->46         started        48 2 other processes 26->48 50 2 other processes 30->50 52 2 other processes 32->52 54 2 other processes 34->54 56 6 other processes 36->56 process9 file10 105 Suspicious powershell command line found 38->105 107 Wscript starts Powershell (via cmd or directly) 38->107 58 powershell.exe 17 38->58         started        63 conhost.exe 38->63         started        67 C:\Users\user\AppData\Roaming\...\8184.bat, ASCII 43->67 dropped 69 C:\Users\user\AppData\Roaming\...\e8dd.bat, ASCII 48->69 dropped 71 C:\Users\user\AppData\Roaming\...\67b6.bat, ASCII 50->71 dropped 73 C:\Users\user\AppData\Roaming\...\493f.bat, ASCII 52->73 dropped 75 C:\Users\user\AppData\Roaming\...\af92.bat, ASCII 54->75 dropped 77 C:\Users\user\AppData\Roaming\...\f40d.bat, ASCII 56->77 dropped 79 C:\Users\user\AppData\Roaming\...\ee9a.bat, ASCII 56->79 dropped 81 C:\Users\user\AppData\Roaming\...\4980.bat, ASCII 56->81 dropped signatures11 process12 dnsIp13 87 maxbusinessworld.duckdns.org 172.111.137.164, 3911 SOFTLAYERUS United States 58->87 83 C:\Users\user\AppData\Roaming\...\c184.bat, ASCII 58->83 dropped 117 Drops script or batch files to the startup folder 58->117 119 Found suspicious powershell code related to unpacking or dynamic code loading 58->119 file14 signatures15
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4fecb0662c4acd463645475e4efca2a14f4afa0960f34cdfd3e50346005efd83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fecb0662c4acd463645475e4efca2a14f4afa0960f34cdfd3e50346005efd83/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2025-04-17 10:18:48 UTC
File Type:
Text (Batch)
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j7wlazrmjlgumnsfi5pe57fcufhuv6qjmdzuzx6t4ubumac67wbq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
2aa37e753ce1273f6ee4968bec7e2381b79a85ffbd1ee3da1fe9b4c1ea3ec4cd
XWorm
53a2f686422f9f71b69d3a9699661c96dc1375d490ea188d5141bb1e8ae89029
XWorm
56f304f2e560f09da015a9f0744e3a0825f420e092ebf7d4605b81b56054bba5
XWorm
80a21952b87d83eb419768268b334364ecab48dbb9cbe55b967ba9636e512cab
XWorm
95bd50b1c849b16159f239b176e9c48d97bc7d841441829ec974997a93cb4c1e
XWorm
cb08ed88dd97692627d9bed9a5201369574a1ef581aa52cadd674b26461b1c9a
XWorm
d0ef84c36715bc834f68415f2b16ca2e8088141a83231f27c4a7d6285d4b6d1a
XWorm
error
XWorm
fa998dd5153a01397534f381ab5655a7afeb94e4b236e0dc4ffbed6891011949
XWorm
fbb6e25ede47737ad9d540192a46117ce42c6e24c7ce60d027e36ff49cba8213
XWorm
+ 1'605 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution rat trojan
Link:
https://tria.ge/reports/250418-w5zdjsvjy8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
maxbusinessworld.duckdns.org:3911
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4fecb0662c4acd463645475e4efca2a14f4afa0960f34cdfd3e50346005efd83

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments