MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e81ab654b7791538849e8cdbc60b170c2e8de58bc38ba5248c0a6861ee3dae7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e81ab654b7791538849e8cdbc60b170c2e8de58bc38ba5248c0a6861ee3dae7
SHA3-384 hash: d9e6591b53f4a41a3f9304388399c7e9c3341dbc71ce44ae0157ab28e71f04be6eea430f653f72a398a0eb1093593edd
SHA1 hash: f249af168bb15d07942490471044ce82c940faf4
MD5 hash: 4c5842bc4dc5b5807709cfc4105e9f0a
humanhash: dakota-wolfram-saturn-item
File name:Richiedi articoli.js
Download: download sample
Signature XWorm
Create hunting rule
File size:51'845 bytes
First seen:2025-09-03 07:49:44 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 384:/P71AbHiLkx+TcQgokx17u96F/48xNxg4NfHFy8H6QIm7NE8ty81dNtHdkOine9b:c
TLSH T15D33F3DC37E7BE0B95AD2F65727CE3942F429A0657DF160222C8E88D5572B43EAC40B1
Magika javascript
Reporter JAMESWT_WT
Tags:45-55-67-254 js Spam-ITA xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b6ab453e988eb6ab8392d4
Tags:
obfuscate autorun xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 evasive fingerprint obfuscated obfuscated powershell
Link:
https://www.filescan.io/uploads/68b7f35939a6221faa7c14d2/reports/ca7f4987-7627-420e-ac6c-1b6a8e612b92/overview
Verdict:
Malicious
Labled as:
VBS/Agent.TKB trojan
Link:
https://www.hybrid-analysis.com/sample/9e81ab654b7791538849e8cdbc60b170c2e8de58bc38ba5248c0a6861ee3dae7
Verdict:
Malicious
File Type:
js
First seen:
2025-09-02T04:51:00Z UTC
Last seen:
2025-09-02T04:51:00Z UTC
Hits:
~1000
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/9e81ab654b7791538849e8cdbc60b170c2e8de58bc38ba5248c0a6861ee3dae7/results?tab=lookup
Score:
92%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/9e81ab654b7791538849e8cdbc60b170c2e8de58bc38ba5248c0a6861ee3dae7
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e81ab654b7791538849e8cdbc60b170c2e8de58bc38ba5248c0a6861ee3dae7/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/9e81ab654b7791538849e8cdbc60b170c2e8de58bc38ba5248c0a6861ee3dae7
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t2a2wzklo6ivhccj5dg3yyfrodborxsyxq4luusiyctimhxd3ltq._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat trojan
Link:
https://tria.ge/reports/250903-jplrassrs3/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Process spawned unexpected child process
Xworm
Xworm family
Malware Config
C2 Extraction:
45.55.67.254:4580
Dropper Extraction:
https://archive.org/download/optimized_msi_20250821/optimized_MSI.png
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9e81ab654b77/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e81ab654b7791538849e8cdbc60b170c2e8de58bc38ba5248c0a6861ee3dae7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments