MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9271c993b9b92fbb4be352b015891ee51d183cc126cdb7b231fb5ada08f65b76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9271c993b9b92fbb4be352b015891ee51d183cc126cdb7b231fb5ada08f65b76
SHA3-384 hash: 64e778ed5172f15075e6be6c88aeb1310a2c6b092154b8c438c6c9a99f241ab14e0936dae9b616ce38e1e8c17116b20c
SHA1 hash: c16d11c42783e9f6e2a2661b1cf3e42faa75bfa1
MD5 hash: 398a295e9b048b72235b7c0989d0f999
humanhash: crazy-crazy-black-network
File name:Maersk_Invoice_INV-2025-358104_EUR12340.iso
Download: download sample
Signature XWorm
Create hunting rule
File size:264'192 bytes
First seen:2025-08-29 10:46:10 UTC
Last seen:2025-08-29 11:38:18 UTC
File type: iso
MIME type:application/x-iso9660-image
ssdeep 6144:QuTjTAKhCySmEsI+5Fty8hF5nsP5/y2jGpzpvAkA5e:QqTAKhLAJ+5Fty8hF58y
TLSH T1D544F73ECAA5ADD4C32B74F05A4D3F1F008C0FA3B1741B2CBAED64A817664459F76A58
TrID 85.7% (.NULL) null bytes (2048000/1)
10.7% (.HTP) HomeLab/BraiLab Tape image (256000/1)
3.3% (.STL) STereoLithography (binary, no rem) (80000/1)
0.1% (.ISO) ISO 9660 CD image (2545/36/1)
0.0% (.BIN/MACBIN) MacBinary 1 (1033/5)
Magika iso
Reporter cocaman
Tags:INVOICE iso Maersk xworm


Avatar
cocaman
Malicious email (T1566.001)
From: ""Maersk Line Accounts Receivable"
<accountsreceivable.maerskline@konjopower.com>" (likely spoofed)
Received: "from mail.konjopower.com (unknown [178.250.187.95]) "
Date: "Mon, 11 Aug 2025 16:40:07 -0700"
Subject: "=?UTF-8?B?SW52b2ljZSBJTlYtMjAyNS0zNTgxMDQg4oCTIER1ZSBBdWd1?=
=?UTF-8?B?c3QgMjAsIDIwMjU=?="
Attachment: "Maersk_Invoice_INV-2025-358104_EUR12340.iso"

Intelligence

File Origin
# of uploads :
2
# of downloads :
68
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Maersk_Invoice_INV-2025-358104_EUR12340.bat
File size:201'752 bytes
SHA256 hash: 3dd6d93087742225b99945aa9d2d9a74073f659fff3f45d7f9a2d3831d08b2e9
MD5 hash: e227172ca5a2eedee600d062cffce870
MIME type:text/plain
Signature XWorm
Vendor Threat Intelligence
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b1852d3e988eb6ab82eb9e
Tags:
malware
Verdict:
Malicious
Labled as:
Malware.U.XWorm
Link:
https://www.hybrid-analysis.com/sample/9271c993b9b92fbb4be352b015891ee51d183cc126cdb7b231fb5ada08f65b76
Verdict:
Malicious
File Type:
iso
First seen:
2025-08-11T04:40:00Z UTC
Last seen:
2025-08-11T04:40:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/9271c993b9b92fbb4be352b015891ee51d183cc126cdb7b231fb5ada08f65b76/results?tab=lookup
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9271c993b9b92fbb4be352b015891ee51d183cc126cdb7b231fb5ada08f65b76/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2025-08-11 12:08:54 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sjy4te5zxex3ws7dkkyblci64uorqpgbe3g3pmrr7nnnuchwln3a._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion execution ransomware rat trojan
Link:
https://tria.ge/reports/250829-ntdcyastfs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Badlisted process makes network request
Clears Windows event logs
Detect Xworm Payload
Xworm
Xworm family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/9271c993b9b92fbb4be352b015891ee51d183cc126cdb7b231fb5ada08f65b76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_EXE_in_ISO
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects ISO files that contains an Exe file. Does not need to be malicious
Reference:Internal Research
Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

iso 9271c993b9b92fbb4be352b015891ee51d183cc126cdb7b231fb5ada08f65b76

(this sample)

XWorm

Batch (bat) bat 3dd6d93087742225b99945aa9d2d9a74073f659fff3f45d7f9a2d3831d08b2e9

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 3dd6d93087742225b99945aa9d2d9a74073f659fff3f45d7f9a2d3831d08b2e9
  
Dropping
MD5 e227172ca5a2eedee600d062cffce870

Comments