MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6475ff60240e5415552a7fc540f397b7bf8a747ce4a3f06d7cce1718c3b359d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	6475ff60240e5415552a7fc540f397b7bf8a747ce4a3f06d7cce1718c3b359d8
SHA3-384 hash:	514e7a4055d734ad99bc1253ced2eea97e0e80b52efdc21768efc2b644068f585fd2cddefcb95ac930f0410a0858b823
SHA1 hash:	5094de89f1895547a94fa9fe37355558ad7d259a
MD5 hash:	47f0c1d99cf7646e7e4553c37e96ce52
humanhash:	uncle-green-uniform-four
File name:	47f0c1d99cf7646e7e4553c37e96ce52.js
Download:	download sample
Signature	XWorm Create hunting rule
File size:	1'331'781 bytes
First seen:	2026-02-27 17:12:21 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	96:ChBfM+SweC/QEzQf266Sh8YvFJDM+E3ArPiWPcu5OOkv+9pnN71R5QdkD6APN6lf:CnfMsFS7RJeOi0yP0c9
Threatray	2'147 similar samples on MalwareBazaar
TLSH	T1DF550330796DDCEB05E9BBC15B04A22DCFD218F5238A5B08AF4FB1EA7744618D0B5A71
Magika	javascript
Reporter	abuse_ch
Tags:	js xworm

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a1d0b0c950ab5d9ab22d38

Tags:

obfuscate autorun xtreme blic

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

repaired

Link:

https://www.filescan.io/uploads/69a1d0b197feb4afd65fcba7/reports/412f127e-bf40-4a02-a57f-db2fa03f565c/overview

Verdict:

Suspicious

Labled as:

Trojan/Runner.ac

Link:

https://www.hybrid-analysis.com/sample/6475ff60240e5415552a7fc540f397b7bf8a747ce4a3f06d7cce1718c3b359d8

Result

Gathering data

Verdict:

Malicious

File Type:

Detections:

Trojan.VBS.SAgent.sb PDM:Trojan.Win32.Generic Backdoor.Agent.TCP.C&C Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Startup.gen HEUR:Trojan.Script.Generic

Link:

https://opentip.kaspersky.com/6475ff60240e5415552a7fc540f397b7bf8a747ce4a3f06d7cce1718c3b359d8/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1876147

Signature

Creates processes via WMI

Drops script or batch files to the startup folder

JavaScript source code contains functionality to generate code involving a shell, file or stream

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries the IP of a very long domain name

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Drops script at startup location

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Yara detected Powershell decode and execute

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Download SVG

Score:

18%

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/6475ff60240e5415552a7fc540f397b7bf8a747ce4a3f06d7cce1718c3b359d8

Verdict:

inconclusive

YARA:

1 match(es)

Link:

https://app.malva.re/file/47f0c1d99cf7646e7e4553c37e96ce52

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6475ff60240e5415552a7fc540f397b7bf8a747ce4a3f06d7cce1718c3b359d8/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/6475ff60240e5415552a7fc540f397b7bf8a747ce4a3f06d7cce1718c3b359d8

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mr276ybebzkbkvjkp7cub44xw67yu5d44sr7a3l4zylrrq5tlhma._file

Verdict:

malicious

Label(s):

xworm

XWorm

6aec274be9554ffe0676af41069f7f52a9af50ac7291de722203930aeca8a536

XWorm

7b978216e289a2c6e3f33ad04746b91d86ca32a8eeed6dfb9319bdcd22103f03

XWorm

8727308a32fe5bc544074066b76ff9ffd8b47d49c387bf23a471f51c068c7f58

XWorm

d9fe09a4c63d64a5adf1bdd5a04034401831f76b7330547a991fe4bf29cf419f

XWorm

error

XWorm

+ 2'137 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm discovery execution persistence rat trojan

Link:

https://tria.ge/reports/260227-vrjkhaaw2f/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Drops startup file

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Detect Xworm Payload

Process spawned unexpected child process

Xworm

Xworm family

Malware Config

C2 Extraction:

198.23.175.51:4078

Dropper Extraction:

https://bafybeig5e7vfagk6xs4b2kk6s2bgaqm4trr56whisnhzirxutlovqkcnli.ipfs.dweb.link?filename=optimized_MSI.png

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/6475ff60240e5415552a7fc540f397b7bf8a747ce4a3f06d7cce1718c3b359d8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample