MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55ea3e4e1cded44b00566cd5894720d01e1191fcfa17a28e25bf928093cdc425. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



XWorm


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments

SHA256 hash: 55ea3e4e1cded44b00566cd5894720d01e1191fcfa17a28e25bf928093cdc425
SHA3-384 hash: d4b4aba7b2da8bf3f60fca0989a09e9853ee98d19c63ca594aa2cdb13bc691e65e7f07923372427b7c84e67babf7d38a
SHA1 hash: 43751c13e31ca21cb63a7526ef1d68a985d25b64
MD5 hash: 21736edc68277667cd708a794ff799f7
humanhash: montana-speaker-oklahoma-earth
File name:documento escaneado.js
Download: download sample
Signature XWorm
File size:1'661'532 bytes
First seen:2026-07-14 12:00:03 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 1536:MYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYQ:N/2Q
Threatray 1'647 similar samples on MalwareBazaar
TLSH T1A175A9E78B7C8842DE209A7A6F0F4AA4E675161E9CC610DF7466D5CC7F303E18A50E72
Magika javascript
Reporter James_inthe_box
Tags:exe js xworm

Intelligence


File Origin
# of uploads :
1
# of downloads :
143
Origin country :
US US
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm fingerprint powershell repaired
Verdict:
Malicious
File Type:
js
First seen:
2026-07-13T15:21:00Z UTC
Last seen:
2026-07-14T08:22:00Z UTC
Hits:
~1000
Gathering data
Threat name:
Script-JS.Trojan.Cryxos
Status:
Malicious
First seen:
2026-07-14 01:03:49 UTC
File Type:
Binary
AV detection:
7 of 36 (19.44%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:xworm discovery execution rat trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Badlisted process makes network request
Detect Xworm Payload
Family: Xworm
Process spawned unexpected child process
Malware Config
C2 Extraction:
64.89.162.178:7007
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments