MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b56821ba2a0e22b27db3cd99dbe52cb45d63e76fbec23986bcc319c7c6fab26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b56821ba2a0e22b27db3cd99dbe52cb45d63e76fbec23986bcc319c7c6fab26
SHA3-384 hash: 11ef905a8eb9113f5fdb26213ec9e03abdfaa16f8bb5fbbbec5c3575db12d2c9430db89e8ecc54ac03e48c4a942a183f
SHA1 hash: d0cc56f34a3d774a682b6b0a1efd81f7fc48fcc8
MD5 hash: 534878b5ae17d4a4ae9948bf1e549d20
humanhash: hotel-oklahoma-lemon-mountain
File name:PURCHASE ORDER-09789.zip
Download: download sample
Signature XWorm
Create hunting rule
File size:50'175 bytes
First seen:2025-10-29 12:59:51 UTC
Last seen:2025-10-29 13:54:16 UTC
File type: zip
MIME type:application/zip
ssdeep 1536:S2LBKkZDAus8qbV12uumiYF2tHzm9Hh44QvohYf:TLBfZDAusf/XhkzmfFhU
TLSH T13633F2E32784656EDAD812A6677F933D11D334C9E8C3A8734739A684127745362FCA8C
Magika zip
Reporter cocaman
Tags:xworm zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Debabrata Roy <Financial@lgepartner.com>" (likely spoofed)
Received: "from lgepartner.com (unknown [216.250.252.109]) "
Date: "29 Oct 2025 06:53:26 -0700"
Subject: "New Order PO#86637 09/09/2024"
Attachment: "PURCHASE ORDER-09789.zip"

Intelligence

File Origin
# of uploads :
4
# of downloads :
80
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:PURCHASE ORDER-09789.vbs
File size:132'855 bytes
SHA256 hash: bbd166e6d916f328c29a4e19a4cb2f686c447b197eb7291def515bc3a63fdda7
MD5 hash: 446a30a5f203a7b711e9566af018004f
MIME type:text/plain
Signature XWorm
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6902102f9942f1282eca10d2
Tags:
obfuscate autorun xtreme shell
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated
Link:
https://www.filescan.io/uploads/69021026b33c704cbf94dc3e/reports/842c49c1-f788-4158-acaa-d51c254d407c/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/5b56821ba2a0e22b27db3cd99dbe52cb45d63e76fbec23986bcc319c7c6fab26
Verdict:
Malicious
File Type:
zip
First seen:
2025-10-29T10:01:00Z UTC
Last seen:
2025-10-31T04:35:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/5b56821ba2a0e22b27db3cd99dbe52cb45d63e76fbec23986bcc319c7c6fab26/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/5b56821ba2a0e22b27db3cd99dbe52cb45d63e76fbec23986bcc319c7c6fab26
Verdict:
Malware
YARA:
2 match(es)
Tags:
DeObfuscated Obfuscated PowerShell Scripting.FileSystemObject T1059.005 VBScript Zip Archive
Link:
https://app.malva.re/file/534878b5ae17d4a4ae9948bf1e549d20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b56821ba2a0e22b27db3cd99dbe52cb45d63e76fbec23986bcc319c7c6fab26/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/5b56821ba2a0e22b27db3cd99dbe52cb45d63e76fbec23986bcc319c7c6fab26
Threat name:
Script-WScript.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-10-29 12:57:33 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lnlieg5cudrcwj63htmz3pssznc5mptw7pwchgdlzqyzy7dpvmta._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm collection execution rat trojan
Link:
https://tria.ge/reports/251029-q7e5ssgz8c/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Drops startup file
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Detect Xworm Payload
Process spawned unexpected child process
Xworm
Xworm family
Malware Config
C2 Extraction:
31.40.204.73:1414
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5b56821ba2a0e22b27db3cd99dbe52cb45d63e76fbec23986bcc319c7c6fab26

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

zip 5b56821ba2a0e22b27db3cd99dbe52cb45d63e76fbec23986bcc319c7c6fab26

(this sample)

XWorm

Visual Basic Script (vbs) vbs bbd166e6d916f328c29a4e19a4cb2f686c447b197eb7291def515bc3a63fdda7

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 bbd166e6d916f328c29a4e19a4cb2f686c447b197eb7291def515bc3a63fdda7
  
Dropping
MD5 446a30a5f203a7b711e9566af018004f

Comments