MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e64afef92c1568634c5bd45ce0efaaf1685ef75d12cc54b241396cce8f2e8d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e64afef92c1568634c5bd45ce0efaaf1685ef75d12cc54b241396cce8f2e8d3
SHA3-384 hash: 54fc6c8ad8ad1755b2d91ec92ba41a168f7ffd1e2965b2a50ce2d82dbdc1c13bc3aa52abb6c2c18434915d620e47b09c
SHA1 hash: 53a5e9b09b064bbb08675cdbe3389d12ca13fa80
MD5 hash: 46744bf221cce56228a85fb63f0865bc
humanhash: tango-nineteen-lion-four
File name:Purchase order T43607_pdf.js
Download: download sample
Signature XWorm
Create hunting rule
File size:1'498'542 bytes
First seen:2026-06-15 17:01:39 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 3072:ZXDDkSZbN1ph97N5dKfIVNGf/2KxKetjet5+9B/5Tp1QsRo:t
TLSH T12C6502B5A38F3EA343F4277DAE24ECD17619B12AC856298F30A545EA60BD910D6C7C70
Magika javascript
Reporter abuse_ch
Tags:js xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.32320.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a30301534eaf30d8ce668d7
Tags:
obfuscate autorun xtreme blic
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade repaired
Link:
https://www.filescan.io/uploads/6a3030068161ac6cb5614de0/reports/708ad8f0-be31-4822-98d0-5f4a0822fb95/overview
Verdict:
Malicious
Labled as:
VBS/Agent.TKB trojan
Link:
https://www.hybrid-analysis.com/sample/7e64afef92c1568634c5bd45ce0efaaf1685ef75d12cc54b241396cce8f2e8d3
Verdict:
Malicious
File Type:
text
First seen:
2026-06-14T20:34:00Z UTC
Last seen:
2026-06-15T13:17:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/7e64afef92c1568634c5bd45ce0efaaf1685ef75d12cc54b241396cce8f2e8d3/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1928204
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates processes via WMI
Drops script or batch files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1928204 Sample: Purchase order T43607_pdf.js Startdate: 15/06/2026 Architecture: WINDOWS Score: 100 35 files01.click 2->35 43 Suricata IDS alerts for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 13 other signatures 2->49 8 wscript.exe 1 3 2->8         started        12 powershell.exe 14 15 2->12         started        15 wscript.exe 1 2->15         started        17 svchost.exe 1 1 2->17         started        signatures3 process4 dnsIp5 31 Purchase order T43....js:Zone.Identifier, ASCII 8->31 dropped 33 C:\Users\...\Purchase order T43607_pdf.js, ASCII 8->33 dropped 57 Suspicious powershell command line found 8->57 59 Wscript starts Powershell (via cmd or directly) 8->59 61 Drops script or batch files to the startup folder 8->61 69 3 other signatures 8->69 39 files01.click 45.136.5.4, 49681, 49693, 80 AS-PIXOOFTR Turkey 12->39 63 Writes to foreign memory regions 12->63 65 Injects a PE file into a foreign processes 12->65 67 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 12->67 19 CasPol.exe 4 12->19         started        23 conhost.exe 12->23         started        25 powershell.exe 15->25         started        41 127.0.0.1 unknown unknown 17->41 file6 signatures7 process8 dnsIp9 37 203.202.232.132, 2828, 49692 WHITELABELUS Turkey 19->37 51 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->51 53 Writes to foreign memory regions 25->53 55 Injects a PE file into a foreign processes 25->55 27 CasPol.exe 3 25->27         started        29 conhost.exe 25->29         started        signatures10 process11
Score:
5%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/7e64afef92c1568634c5bd45ce0efaaf1685ef75d12cc54b241396cce8f2e8d3
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e64afef92c1568634c5bd45ce0efaaf1685ef75d12cc54b241396cce8f2e8d3/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/7e64afef92c1568634c5bd45ce0efaaf1685ef75d12cc54b241396cce8f2e8d3
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pzsk734syflimngfxvc44dx2v4lil33v2ewmkszecolmz2hs5djq._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution rat trojan
Link:
https://tria.ge/reports/260615-vj7blafx9k/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Drops startup file
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Family: Xworm
Process spawned unexpected child process
Malware Config
C2 Extraction:
203.202.232.132:2828
Dropper Extraction:
http://files01.click/htmlweb/axis/optimized.png
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments