MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab582206dc5682e528a6b1b5457661e5292acfb0a5a3aa4a2bd81f22cb3a1c73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab582206dc5682e528a6b1b5457661e5292acfb0a5a3aa4a2bd81f22cb3a1c73
SHA3-384 hash: 4c963949ce8d061dc5098cf88fe643a28f28a0bf21932d563a84c5b32aa7a5ae68fd58926008f47e2d6aa256c7d6a4eb
SHA1 hash: 6b12b8a1c30860ba2ab65c4ae8647b46dafd0fa2
MD5 hash: 7249b91512f6b21df1dfee45b10d7126
humanhash: edward-eleven-nevada-friend
File name:awb_DHL_shipping_document_bl_inv_packing_commerical_docs_21_01_202600000000000000000000000000000000000000000000000000000000000000000000000.js
Download: download sample
Signature XWorm
Create hunting rule
File size:41'597 bytes
First seen:2026-01-21 11:51:57 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 192:Z0n837gLu28vtR/7ti8l4XaJcJUdXlkiUFlXQ7:6838LL8ZiMy4k4
Threatray 684 similar samples on MalwareBazaar
TLSH T1C5136292F74CC98DDD5C0A6DCA39FCFE679A61B9138147112F04D9CACC6854E82236AF
Magika javascript
Reporter lowmal3
Tags:js xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6970be05f3cf908ba506fcbc
Tags:
xtreme shell sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint masquerade repaired
Link:
https://www.filescan.io/uploads/6970be015db9ae47708badb5/reports/6e0b3015-8bed-4c77-8f38-495db483031c/overview
Verdict:
Suspicious
Labled as:
SVM:TrojanDownloader/JS.Maloader
Link:
https://www.hybrid-analysis.com/sample/ab582206dc5682e528a6b1b5457661e5292acfb0a5a3aa4a2bd81f22cb3a1c73
Verdict:
Malicious
File Type:
js
First seen:
2026-01-21T07:39:00Z UTC
Last seen:
2026-01-23T09:59:00Z UTC
Hits:
~100
Detections:
Trojan-Dropper.Win32.Agent.sb Trojan-Downloader.PowerShell.NanoShield.sb Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/ab582206dc5682e528a6b1b5457661e5292acfb0a5a3aa4a2bd81f22cb3a1c73/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1854798
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1854798 Sample: commerical_docs_21_01_20260... Startdate: 21/01/2026 Architecture: WINDOWS Score: 100 44 xxblessing2026now.duckdns.org 2->44 46 habibjee.store 2->46 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 66 18 other signatures 2->66 9 wscript.exe 1 2->9         started        12 svchost.exe 2 2->12         started        14 svchost.exe 1 2->14         started        signatures3 64 Uses dynamic DNS services 44->64 process4 signatures5 68 Suspicious powershell command line found 9->68 70 Wscript starts Powershell (via cmd or directly) 9->70 72 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->72 74 2 other signatures 9->74 16 powershell.exe 14 23 9->16         started        21 conhost.exe 12->21         started        23 conhost.exe 14->23         started        process6 dnsIp7 42 habibjee.store 172.67.167.137, 443, 49690 CLOUDFLARENETUS United States 16->42 36 C:\Users\user\AppData\...\0vlzwdaw.cmdline, Unicode 16->36 dropped 50 Writes to foreign memory regions 16->50 52 Modifies the context of a thread in another process (thread injection) 16->52 54 Suspicious execution chain found 16->54 56 Injects a PE file into a foreign processes 16->56 25 RegAsm.exe 1 4 16->25         started        30 csc.exe 3 16->30         started        32 conhost.exe 16->32         started        file8 signatures9 process10 dnsIp11 48 xxblessing2026now.duckdns.org 185.167.61.11, 3025, 49692 INETLTDTR Turkey 25->48 38 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 25->38 dropped 76 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->76 78 Drops PE files with benign system names 25->78 40 C:\Users\user\AppData\Local\...\0vlzwdaw.dll, PE32 30->40 dropped 34 cvtres.exe 1 30->34         started        file12 signatures13 process14
Score:
92%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ab582206dc5682e528a6b1b5457661e5292acfb0a5a3aa4a2bd81f22cb3a1c73
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab582206dc5682e528a6b1b5457661e5292acfb0a5a3aa4a2bd81f22cb3a1c73/
Verdict:
Malicious
Threat:
Family.REVERSELOADER
Link:
https://tip.neiki.dev/file/ab582206dc5682e528a6b1b5457661e5292acfb0a5a3aa4a2bd81f22cb3a1c73
Threat name:
Script-JS.Backdoor.Xworm
Create hunting rule
Status:
Malicious
First seen:
2026-01-21 10:56:13 UTC
File Type:
Text (JavaScript)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vnmcebw4k2bokkfgwg2uk5tb4uusvt5quwr2usrl3apsfsz2drzq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
15a9f29aaba59940714e92ef77712542ddb68ceb2f82f62ee85e30956ec23929
XWorm
3716c515929ba48afbc09a0f97ea788c69c47f6037a2b203f1c165faff10f78c
XWorm
5368ee78ec544ea4b93c7e7cf85ca44329b2f3931d8f93194be18866052c5731
XWorm
6385ba95a2f179fac688bc5524caebdd20de2fdd3ddbbc531351f8db1965660c
XWorm
68c553786094522830920122539df1d3a8f04caf880d84415728ffac780a4c84
XWorm
75e50384053e487d49bae8f857fd39af0179c293496f0312072dbaf9af9c085c
XWorm
ada3af84801eb7e4a28b6e1371b963e820fafc35bd6b7bd15a9a08180cbc17c5
XWorm
bc6edff1b1148a9ad6a3aa8db0371d55ac57c8307ed841fc8e8030bdf4bed7ab
XWorm
cf47a12ab207f39bb11672dc366839a72b61ee81d0870edffa2c3c5c058a0e0e
XWorm
error
XWorm
+ 674 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion discovery execution persistence rat trojan
Link:
https://tria.ge/reports/260121-n11rtabw3d/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Badlisted process makes network request
Detect Xworm Payload
Process spawned unexpected child process
Xworm
Xworm family
Malware Config
C2 Extraction:
xxblessing2026now.duckdns.org:3025
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ab582206dc56/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab582206dc5682e528a6b1b5457661e5292acfb0a5a3aa4a2bd81f22cb3a1c73

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Java Script (JS) js ab582206dc5682e528a6b1b5457661e5292acfb0a5a3aa4a2bd81f22cb3a1c73

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments