MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6631e7fad1ecda70e50c7d29fcbd222c742ff67e658050146307b4e48a64b186. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6631e7fad1ecda70e50c7d29fcbd222c742ff67e658050146307b4e48a64b186
SHA3-384 hash: 2e3aaf62fbdf709702e60fa29d111f031affdd3de9618065eea009d90f39bb75c0996e923f7480a7ef67cf621626f800
SHA1 hash: d5d499e403843d0a6a978f7fd7389cb06569ba85
MD5 hash: 90460577f410e7ebde480575118d1d97
humanhash: texas-west-king-victor
File name:Scanned-NIE-000876.pdf.lnk
Download: download sample
Signature XWorm
Create hunting rule
File size:2'935 bytes
First seen:2025-10-09 20:24:02 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 48:8IQIJ8qdWhbfUKBr/qsvUKabXuHyV3P76pxjIlcUKQpoGvsvUK:8Ewb7J/qsLuuA/SxIlaYBsL
Threatray 2'504 similar samples on MalwareBazaar
TLSH T1A251DC1262E5166AE376463054F3D9A297377DA1F001DA1C80A1835A1473E18CEA9FFB
Magika lnk
Reporter smica83
Tags:5-253-59-191 lnk xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
HU HU
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilLNK.TargetUNCDancingInHeaven.20230323.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddUNCPathNeonShredder.20230802.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.CelebritySkin.20240324.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e81a0423804d0975b651bd
Tags:
shell spawn sage
Result
Verdict:
Suspicious
File Type:
LNK File
Link:
https://app.docguard.net/6631e7fad1ecda70e50c7d29fcbd222c742ff67e658050146307b4e48a64b186/results/dashboard
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated opendir opendir webdav
Link:
https://www.filescan.io/uploads/68e819fd74d89de012b45ddd/reports/171ac347-1281-49fb-be74-c6ad8af1ddf8/overview
Verdict:
Malicious
Labled as:
Trojan[Downloader]/LNK.Agent
Link:
https://www.hybrid-analysis.com/sample/6631e7fad1ecda70e50c7d29fcbd222c742ff67e658050146307b4e48a64b186
Verdict:
Clean
File Type:
lnk
Link:
https://opentip.kaspersky.com/6631e7fad1ecda70e50c7d29fcbd222c742ff67e658050146307b4e48a64b186/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1792404
Signature
Suricata IDS alerts for network traffic
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
LNK
Link:
https://app.malva.re/file/90460577f410e7ebde480575118d1d97
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6631e7fad1ecda70e50c7d29fcbd222c742ff67e658050146307b4e48a64b186/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/6631e7fad1ecda70e50c7d29fcbd222c742ff67e658050146307b4e48a64b186
Threat name:
Binary.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-09 18:27:22 UTC
File Type:
Binary
AV detection:
3 of 38 (7.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=myy6p6wr5tnhbzimpuu7zpjcfr2c75t6mwafafdda62ojctewgda._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
2fac802da7057d67fa47ea71fd6f028a1f6a60c0120d087dd6603d82c8fc4779
XWorm
32854f6bd0f40b5de1e8ed8e456508d1db5a9b44293f3f20420f1e1919e794ec
XWorm
37b3468478740d625e9c1b9e5342530e5df1d99dd78cc269df96ff2fd59ac1b1
XWorm
a613787abd518cbd4943ed0df6290c0071e36ef30cc9bd5ab2e070418c374585
XWorm
b994e8cd9cfc2cd2151b70947c845e529bc13cc2a90b4f0633fbe1eea8d50783
XWorm
e90c2dbd570b31b0052c55bd5cf38caeaf2fc06afa9bd8660f40c9733008c758
XWorm
error
XWorm
+ 2'494 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251009-y6snhaar8t/
Behaviour
Enumerates physical storage devices
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6631e7fad1ec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/6631e7fad1ecda70e50c7d29fcbd222c742ff67e658050146307b4e48a64b186

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments