MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7706af0288e1f625d7f60916d15a0786503ad8b00db1de03590401336cb2786d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7706af0288e1f625d7f60916d15a0786503ad8b00db1de03590401336cb2786d
SHA3-384 hash: a2fe1983b5a2788e0bbce233a1ecb6133633aabaf58f58583673e16661d37baa7391f70747df47ea081016cd7f2e6f97
SHA1 hash: 8e4155cdc4086cb632b7c85a88a477a741f959b0
MD5 hash: d0115a3a2774600920ee3b12a485e48e
humanhash: iowa-don-india-one
File name:comprovativo de pagamento.js
Download: download sample
Signature XWorm
Create hunting rule
File size:1'127'261 bytes
First seen:2026-02-28 08:17:07 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 12288:og5R5XgK5xwbRQtvgUDu1yKgmA+YySiLFSYwgDAMYTkWFMe4FIs:u
Threatray 2'156 similar samples on MalwareBazaar
TLSH T16C35527AB7C16D76C390C35AE4CCB14BDD516095B282A9D69E48EECF8800D4DABB0D73
Magika javascript
Reporter JAMESWT_WT
Tags:jerrymac2008-duckdns-org js Spam-ITA xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
IT IT
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.32501.JsHeur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a2a48dc950ab5d9ab26b81
Tags:
malware
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
remcos repaired
Link:
https://www.filescan.io/uploads/69a2a48b97feb4afd6612288/reports/37d8a382-98af-4e00-a935-d4bfd32bac33/overview
Verdict:
Malicious
Labled as:
HEUR_Trojan_Script_Generic
Link:
https://www.hybrid-analysis.com/sample/7706af0288e1f625d7f60916d15a0786503ad8b00db1de03590401336cb2786d
Verdict:
Malicious
File Type:
js
Detections:
PDM:Trojan.Win32.Generic Backdoor.Agent.TCP.C&C Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Startup.gen HEUR:Trojan.Script.Generic Trojan.VBS.SAgent.sb
Link:
https://opentip.kaspersky.com/7706af0288e1f625d7f60916d15a0786503ad8b00db1de03590401336cb2786d/results?tab=lookup
Score:
28%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/7706af0288e1f625d7f60916d15a0786503ad8b00db1de03590401336cb2786d
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7706af0288e1f625d7f60916d15a0786503ad8b00db1de03590401336cb2786d/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/7706af0288e1f625d7f60916d15a0786503ad8b00db1de03590401336cb2786d
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-02-27 16:07:05 UTC
File Type:
Binary
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o4dk6aui4h3clv7wbelncwqhqzidvwfqbwy54a2zaqatg3fspbwq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
58b09f78ed25e76e2c9e5abf0e10af50a63e2c5e480ae3ed160569b7baa28b42
XWorm
6aec274be9554ffe0676af41069f7f52a9af50ac7291de722203930aeca8a536
XWorm
7b978216e289a2c6e3f33ad04746b91d86ca32a8eeed6dfb9319bdcd22103f03
XWorm
8727308a32fe5bc544074066b76ff9ffd8b47d49c387bf23a471f51c068c7f58
XWorm
d9fe09a4c63d64a5adf1bdd5a04034401831f76b7330547a991fe4bf29cf419f
XWorm
error
XWorm
+ 2'146 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:salatstealer family:xworm credential_access defense_evasion discovery execution persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/260228-j6s7psey6h/
Behaviour
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Power Settings
Creates new service(s)
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Stops running service(s)
Unsecured Credentials: Credentials In Files
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Detect SalatStealer payload
Detect Xworm Payload
Process spawned unexpected child process
Salatstealer family
UAC bypass
Xworm
Xworm family
salatstealer
Malware Config
C2 Extraction:
jerrymac2008.duckdns.org:4078
Dropper Extraction:
https://bafybeihmvo5nbtacxb7bx6bzla7adpg7ldm2ud3fqbom6724ajlki42urq.ipfs.dweb.link?filename=22222optimized_MSI.png
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7706af0288e1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/7706af0288e1f625d7f60916d15a0786503ad8b00db1de03590401336cb2786d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments