MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f28f82d21fe99d0efdcab403f73870d68fd94e6d0f762e658d923ccd1e7424c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f28f82d21fe99d0efdcab403f73870d68fd94e6d0f762e658d923ccd1e7424c
SHA3-384 hash: 3ac2f22c045179f8b27c53d347d750c4eb59a2aca2f6f5193b5828bcb984939ba95768ce6a567027ca787cfc9ffb3ea6
SHA1 hash: b9656b9fa2056f4c4a6509a1f67eceaa37a68c17
MD5 hash: 1c244ba5cf7eae15117d0819b8018a43
humanhash: white-california-fillet-green
File name:Atualizacao-Plugin-05-2025-1747483028.js
Download: download sample
Signature XWorm
Create hunting rule
File size:360'071 bytes
First seen:2025-05-17 15:40:29 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 192:SCsvAlyI7BugM2gmIUUgyvvipKjppg8d3hmmDvlvp65dhKjvfDU+UuuxHxDTTUNm:16y2xF9/O
Threatray 2'264 similar samples on MalwareBazaar
TLSH T1CB742B9D9DE3146625DFF730A68726BC99376754C902A6FBE2B3B63310B8E1C20F1065
Magika javascript
Reporter GDHJDSYDH1
Tags:Downloader js Loader script xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
486
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.6340.26863.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6828acf4375681df7c1a180e
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/6828ae1fc609634bd7c6fba5/reports/abe52ee1-954e-44cf-869c-4b6eccce3447/overview
Verdict:
Malicious
Labled as:
Trojan.Script.Heuristic
Link:
https://www.hybrid-analysis.com/sample/9f28f82d21fe99d0efdcab403f73870d68fd94e6d0f762e658d923ccd1e7424c
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1692936
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1692936 Sample: Atualizacao-Plugin-05-2025-... Startdate: 17/05/2025 Architecture: WINDOWS Score: 100 40 backupclientes.ddns.net 2->40 42 javaaplugin.com 2->42 44 3 other IPs or domains 2->44 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 68 20 other signatures 2->68 9 wscript.exe 1 1 2->9         started        13 powershell.exe 3 17 2->13         started        signatures3 66 Uses dynamic DNS services 40->66 process4 dnsIp5 48 javaaplugin.com 82.29.188.81, 443, 49713, 49716 NTLGB United Kingdom 9->48 76 JScript performs obfuscated calls to suspicious functions 9->76 78 Suspicious powershell command line found 9->78 80 Wscript starts Powershell (via cmd or directly) 9->80 82 2 other signatures 9->82 16 powershell.exe 14 15 9->16         started        36 C:\Users\Public\Downloads\cytometrically.js, Unicode 13->36 dropped 20 wscript.exe 1 13->20         started        22 conhost.exe 13->22         started        file6 signatures7 process8 dnsIp9 38 ia601304.us.archive.org 207.241.227.174, 443, 49720, 49730 INTERNET-ARCHIVEUS United States 16->38 50 Writes to foreign memory regions 16->50 52 Injects a PE file into a foreign processes 16->52 24 MSBuild.exe 2 16->24         started        28 conhost.exe 16->28         started        54 System process connects to network (likely due to code injection or exploit) 20->54 56 Suspicious powershell command line found 20->56 58 Wscript starts Powershell (via cmd or directly) 20->58 30 powershell.exe 15 20->30         started        signatures10 process11 dnsIp12 46 backupclientes.ddns.net 151.243.218.133, 49727, 7000 RASANAIR Iran (ISLAMIC Republic Of) 24->46 70 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->70 72 Writes to foreign memory regions 30->72 74 Injects a PE file into a foreign processes 30->74 32 MSBuild.exe 1 30->32         started        34 conhost.exe 30->34         started        signatures13 process14
Score:
57%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/9f28f82d21fe99d0efdcab403f73870d68fd94e6d0f762e658d923ccd1e7424c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f28f82d21fe99d0efdcab403f73870d68fd94e6d0f762e658d923ccd1e7424c/
Threat name:
Script-JS.Backdoor.Xworm
Create hunting rule
Status:
Suspicious
First seen:
2025-05-17 14:59:15 UTC
File Type:
Text (JavaScript)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t4upqljb72m5b364vnad644hbvup3fhg2d3wfzsy3er4zuphijga._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
2358c0ec98db0b54700a61647dce2769687074ae7cc82dee6472ad41a801ec01
XWorm
3c22272754c28b6a59811b0317095e58411e3341144a7bccdcd38de156b608c6
XWorm
531fb63826f4d36eb31debe554073a4f4a73eaca264699b21e24e912b831f81a
XWorm
d95f052c98a61e3fef8dc23624204d8ef7b9816a69716a6265303d4beda13c08
XWorm
eb81077a38002c54084490e3097a242e5b606b2546b76f50f7ebe9e9acf8cded
XWorm
error
XWorm
+ 2'254 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250517-s4xlsaak7z/
Behaviour
Script User-Agent
Command and Scripting Interpreter: JavaScript
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/9f28f82d21fe99d0efdcab403f73870d68fd94e6d0f762e658d923ccd1e7424c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Java Script (JS) js 9f28f82d21fe99d0efdcab403f73870d68fd94e6d0f762e658d923ccd1e7424c

(this sample)

anyrun
any.run
https://app.any.run/tasks/3db04baa-e5d5-4baa-8172-904599eec395
  
Delivery method
Distributed via web download

Comments