MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5447f5420344c1ad2b237536c635148f1d843076e76bb60de778e1a1f302e1d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5447f5420344c1ad2b237536c635148f1d843076e76bb60de778e1a1f302e1d9
SHA3-384 hash: cf2c11700f0b9cb8e2295d8c0dd2c7ffbed77bfc16c9cd8082cde0366841552d1fbcdc5412cf646bebe9bf92baf9b29e
SHA1 hash: aca7cf1a7c1ed81762bc78bc51e92a2da1d5aa7d
MD5 hash: 858286c719068db5530a9c45f09a9955
humanhash: mobile-cat-uranus-black
File name:Purchae_Order#50042.zip
Download: download sample
Signature XWorm
Create hunting rule
File size:53'984 bytes
First seen:2025-11-10 11:11:22 UTC
Last seen:2025-11-10 11:38:46 UTC
File type: zip
MIME type:application/zip
ssdeep 768:MfDTQPe9jd9VUMf6ROl/T9zd9996d1Qam6lu0oMLfSwHQrPZPYMYue33oRccqQ2J:wQPSjdx6ROb996DQa7x98wMcHMccq94u
TLSH T1C13302E95483697C970C8CFC958D0DEE9487EC0C3906AD37F68BDB30C80B9CA52695D1
Magika zip
Reporter cocaman
Tags:xworm zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Saul Garcia <saulgarcia@garol.mx>" (likely spoofed)
Received: "from garol.mx (unknown [147.124.211.184]) "
Date: "7 Nov 2025 04:36:58 -0800"
Subject: "Purchase Order Attached - Bulk Order Inquiry"
Attachment: "Purchae_Order#50042.zip"

Intelligence

File Origin
# of uploads :
8
# of downloads :
75
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Purchae_Order#50042.js
File size:254'271 bytes
SHA256 hash: 9c9cf095c3ff1c23a4938f8f815055521383bc6ec5e27d4647f0f6037f500402
MD5 hash: f8ab16d94b05c5c0e5ca608a7724d5db
MIME type:text/plain
Signature XWorm
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_jsnum.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Script.SNH-gen.89424775.UNOFFICIAL
Create hunting rule

PUA.SecuriteInfo.com.JS.Malware-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690ef92d30bacec888c9b7af
Tags:
obfuscate xtreme shell
Result
Verdict:
Malicious
File Type:
JS File - Malicious
Link:
https://app.docguard.net/5447f5420344c1ad2b237536c635148f1d843076e76bb60de778e1a1f302e1d9/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 evasive fingerprint masquerade obfuscated powershell powershell repaired xworm
Link:
https://www.filescan.io/uploads/6911c88e413b181bff1e74f3/reports/9ee6f3d1-1f09-4e2a-aae7-afec73ab4351/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/5447f5420344c1ad2b237536c635148f1d843076e76bb60de778e1a1f302e1d9
Verdict:
Malicious
File Type:
zip
First seen:
2025-11-06T20:00:00Z UTC
Last seen:
2025-11-12T07:25:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/5447f5420344c1ad2b237536c635148f1d843076e76bb60de778e1a1f302e1d9/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/5447f5420344c1ad2b237536c635148f1d843076e76bb60de778e1a1f302e1d9
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
Zip Archive
Link:
https://app.malva.re/file/858286c719068db5530a9c45f09a9955
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5447f5420344c1ad2b237536c635148f1d843076e76bb60de778e1a1f302e1d9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-07 03:46:51 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=krd7kqqdita22kzdou3mmniur4oyimdw45v3mdphpdq2d4yc4hmq._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/251110-s93d8a1lby/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: PowerShell
Badlisted process makes network request
Detect Xworm Payload
Process spawned unexpected child process
Xworm
Xworm family
Malware Config
C2 Extraction:
31.40.204.73:1414
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5447f5420344c1ad2b237536c635148f1d843076e76bb60de778e1a1f302e1d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

zip 5447f5420344c1ad2b237536c635148f1d843076e76bb60de778e1a1f302e1d9

(this sample)

XWorm

Java Script (JS) js 9c9cf095c3ff1c23a4938f8f815055521383bc6ec5e27d4647f0f6037f500402

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 9c9cf095c3ff1c23a4938f8f815055521383bc6ec5e27d4647f0f6037f500402
  
Dropping
XWorm
  
Dropping
MD5 f8ab16d94b05c5c0e5ca608a7724d5db

Comments