MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aaf5fd4e2f34a1054d0949a9652eaee489dfc4f61a73f39d19ebb8beaf38bc70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


xw


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aaf5fd4e2f34a1054d0949a9652eaee489dfc4f61a73f39d19ebb8beaf38bc70
SHA3-384 hash: b6bbd56e29d2f416ee6b0e0f940ece32fe0c6dbaf4bb797a9f78300c76dcfa85e51e89911e9a2a12130613a4a910700e
SHA1 hash: af957e860567c5e3128e973db32e05dc599fcf6f
MD5 hash: d1128f173cefb97fc97021bdeb378c00
humanhash: georgia-orange-india-pip
File name:Payment Receipt-pdf.js
Download: download sample
Signature xw
Create hunting rule
File size:1'308'142 bytes
First seen:2026-01-22 15:04:46 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 768:PIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIn:9
Threatray 257 similar samples on MalwareBazaar
TLSH T17F55EC542F4580EC589E8936718B738E5D30E49CB6EE89147319D78E82A3E6DF08737E
Magika javascript
Reporter James_inthe_box
Tags:exe js xw

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
US US
Vendor Threat Intelligence
No detections
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69723cacf3cf908ba5075c6f
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 fingerprint masquerade obfuscated powershell repaired
Link:
https://www.filescan.io/uploads/69723cc15db9ae47708dcfc2/reports/46dd4d9c-9908-4223-b943-2189a8429509/overview
Verdict:
Suspicious
Labled as:
JS/Agent.DGD7
Link:
https://www.hybrid-analysis.com/sample/aaf5fd4e2f34a1054d0949a9652eaee489dfc4f61a73f39d19ebb8beaf38bc70
Verdict:
Malicious
File Type:
js
First seen:
2026-01-22T00:29:00Z UTC
Last seen:
2026-01-24T01:59:00Z UTC
Hits:
~100
Detections:
Backdoor.Agent.TCP.C&C HEUR:Trojan.Script.Generic Trojan.MSIL.Crypt.sb Trojan.Agentb.TCP.C&C PDM:Trojan.Win32.Generic PDM:Trojan.Win32.GenAutorunSchedulerTaskRun.c Trojan.JS.SAgent.sb Trojan-Downloader.MSIL.Seraph.d Trojan-Downloader.MSIL.Agent.c Trojan-Downloader.JS.SLoad.sb Trojan.VBKrypt.UDP.ServerRequest Trojan.MSIL.Miner.sb HEUR:Trojan.Multi.Powedon.a
Link:
https://opentip.kaspersky.com/aaf5fd4e2f34a1054d0949a9652eaee489dfc4f61a73f39d19ebb8beaf38bc70/results?tab=lookup
Score:
13%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/aaf5fd4e2f34a1054d0949a9652eaee489dfc4f61a73f39d19ebb8beaf38bc70
Verdict:
inconclusive
YARA:
1 match(es)
Link:
https://app.malva.re/file/d1128f173cefb97fc97021bdeb378c00
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aaf5fd4e2f34a1054d0949a9652eaee489dfc4f61a73f39d19ebb8beaf38bc70/
Verdict:
Malicious
Threat:
Family.REVERSELOADER
Link:
https://tip.neiki.dev/file/aaf5fd4e2f34a1054d0949a9652eaee489dfc4f61a73f39d19ebb8beaf38bc70
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vl272trpgsqqktijjguwklvo4se57rhwdjz7hhiz5o4l5lzyxrya._file
Verdict:
malicious
Label(s):
darkvisionrat
Create hunting rule
xworm
Create hunting rule
Similar samples:
1f5baad6f2f66ce9a8969345456821b053077da7f784ccff02af1831ec3aca07
xw
3b1fe8fbb2e89bed49f8cfcb3d111e0b0f7a2db9dd9d18dac5d232b610572190
xw
4123bedccc18eee83aa4c7d8e1b64191ddde5fc234bd3c1cbd7f998571e47112
xw
6f16060b9b2ed31c7f92adc048988ab883e39654643cde96ef767fddd2475915
xw
7df13306391cfb01b4552a061bcc4ef1c07494381306b7fac1b7ddba3a213063
xw
9271e883e23b923bbd2d23230e8db91ff707c26f6140f5f81f2695b66e7bc434
xw
b0be564eb26f9cf2f58ea450d43194f3a4fb7dd2ca16375e3ecbfd636e5e7c13
xw
d9fe09a4c63d64a5adf1bdd5a04034401831f76b7330547a991fe4bf29cf419f
xw
error
xw
+ 247 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:darkvision family:xworm collection defense_evasion discovery execution persistence rat trojan
Link:
https://tria.ge/reports/260122-sggxtaex2h/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Drops startup file
Executes dropped EXE
Prevents Microsoft Defender from scanning certain paths by adding an exclusion.
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
DarkVision Rat
Darkvision family
Detect Xworm Payload
Process spawned unexpected child process
Xworm
Xworm family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/aaf5fd4e2f34a1054d0949a9652eaee489dfc4f61a73f39d19ebb8beaf38bc70

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments