MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e1335fd2bf5783cdf1992ebd4ae13ea3cc4134358a714607b688e739c46fe00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	6e1335fd2bf5783cdf1992ebd4ae13ea3cc4134358a714607b688e739c46fe00
SHA3-384 hash:	0c5c427b80d8fabee18b503bb43afa1828232f24db5ffc6d3af76242ed92bce0b9f176352536280494260c3595884f9f
SHA1 hash:	51685d45d83d3eb13169c11d28dc50a6406b885c
MD5 hash:	b0155a106bb96b388f2efd7232c74006
humanhash:	dakota-eighteen-cat-skylark
File name:	fedex_tax_invoice_customs_clearance_guide_09_30_2025_0000000pdf.vbs
Download:	download sample
Signature	XWorm Create hunting rule
File size:	266'582 bytes
First seen:	2025-09-30 06:26:17 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	1536:lhv+tmjUVmcEoct5VpWUuWbuvHSh6NcRu1G:lRicUVmcEoctjsUIG6Nj1G
Threatray	739 similar samples on MalwareBazaar
TLSH	T19B442FFA2DD61FA60A101FEB62F11DDB2D90D292F648E0AC79917CE0671213C5F7869C
Magika	vba
Reporter	abuse_ch
Tags:	FedEx vbs xworm

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/29534/

Detection(s):

SecuriteInfo.com.BAT.Shell-1.UNOFFICIAL

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68db782740b7da0b4eb8d077

Tags:

obfuscate xtreme shell

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 evasive masquerade obfuscated powershell

Link:

https://www.filescan.io/uploads/68db78f574e5a28989999da0/reports/f3f7aa38-39c5-433d-9f2c-bc5ee04f4143/overview

Verdict:

Suspicious

Labled as:

TrojanDropper/VBS.Agent

Link:

https://www.hybrid-analysis.com/sample/6e1335fd2bf5783cdf1992ebd4ae13ea3cc4134358a714607b688e739c46fe00

Verdict:

Malicious

File Type:

vbs

First seen:

2025-09-30T02:05:00Z UTC

Last seen:

2025-09-30T02:05:00Z UTC

Hits:

~10

Detections:

PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Tesre.gen HEUR:Trojan.VBS.SAgent.gen HEUR:Trojan.PowerShell.Tesre.sb Trojan-Downloader.JS.Cryptoload.sb Trojan.BAT.Agent.sb Trojan.PowerShell.AmsiBypass.sb Trojan.JS.SAgent.sb Backdoor.Agent.TCP.C&C HEUR:Trojan-Downloader.Script.Generic

Link:

https://opentip.kaspersky.com/6e1335fd2bf5783cdf1992ebd4ae13ea3cc4134358a714607b688e739c46fe00/results?tab=lookup

Result

Threat name:

XWorm

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1786421

Signature

.NET source code contains a sample name check

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Creates processes via WMI

Found malware configuration

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample has a suspicious name (potential lure to open the executable)

Sample uses string decryption to hide its real strings

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: PowerShell Base64 Encoded IEX Cmdlet

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/6e1335fd2bf5783cdf1992ebd4ae13ea3cc4134358a714607b688e739c46fe00

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6e1335fd2bf5783cdf1992ebd4ae13ea3cc4134358a714607b688e739c46fe00/

Verdict:

Malicious

Threat:

Trojan.PowerShell.AmsiBypass

Link:

https://tip.neiki.dev/file/6e1335fd2bf5783cdf1992ebd4ae13ea3cc4134358a714607b688e739c46fe00

Threat name:

Script-BAT.Packed.Generic

Status:

Suspicious

First seen:

2025-09-30 06:30:44 UTC

File Type:

Text

AV detection:

10 of 38 (26.32%)

Threat level:

1/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nyjtl7jl6v4dzxyzslv5jlqt5i6mie2dlctriyd3nchhhhcg7yaa._file

Verdict:

malicious

Label(s):

xworm

XWorm

1d7b49b36fec5265e4508b054206d25e20cabbcecdf0df6e9ef81fdf2236ff16

XWorm

443c070f1d20b0821daf3107e55bf5e6efbb8d0f86e5806c76d597e43ea11be1

XWorm

4bce5c43d01102b83bf0cb0b85d09ea8a758262b98b04aeccff957aad024f7bd

XWorm

86b20abad50522f0753ac9f340ae7555e0adb7d17ab4cf434c8a4a5ca8213e7a

XWorm

cbfd2c9ea3cb57537837c0f440d55352d7fa622d29d57a41bc05a86372c58067

XWorm

ea00a2a36ddf65471905637823a6932267ba2ebc36620aa82deaa652ec17334a

XWorm

error

XWorm

ffe6e82b7ea63f6d7254d5bef882fe778aeae3827d9778b928b9907af00004bd

XWorm

+ 729 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm execution rat trojan

Link:

https://tria.ge/reports/250930-g9bqqa1zhs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: PowerShell

Badlisted process makes network request

Detect Xworm Payload

Process spawned unexpected child process

Xworm

Xworm family

Malware Config

C2 Extraction:

billiondollarbank.minhacasa.tv:3033

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6e1335fd2bf5783cdf1992ebd4ae13ea3cc4134358a714607b688e739c46fe00

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ClamAV_Emotet_String_Aggregate Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/29534/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample