MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af5bc8fc2df1debff6eeeb376cb5bd84ae7a16f22eff147241f520cc9966e51a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af5bc8fc2df1debff6eeeb376cb5bd84ae7a16f22eff147241f520cc9966e51a
SHA3-384 hash: 3cc5bf85b261731666d26a1abf4c278f8484994254669d3c19551fc0871acb1e382e4d05d561a2b86c3775e0aad4b577
SHA1 hash: 1d25262637f29232dcc0d0bc25e0f8db868119a3
MD5 hash: ef534f50808c1e91e0e1d17823f8c5b1
humanhash: louisiana-ceiling-may-hamper
File name:Password.txt.lnk
Download: download sample
Signature XWorm
Create hunting rule
File size:1'325 bytes
First seen:2026-04-17 14:23:00 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8KjCnmiwTXb8AWZ+/efVx4I0Wdz13z1NvMK28y/msdE:8Xm1TPlID1D1F28a
TLSH T10F2146411BE96796E337CD320976F21107367951EE42D35D4660B18C4878E10FA75F7B
Magika lnk
Reporter abuse_ch
Tags:lnk xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
LNK
Details
LNK
a command line and any observed urls
Link:
https://research.acce.ciphertechsolutions.com/results/469e828e-7ba3-40bd-ba38-93be2b2ce8f8/
Detection(s):
SecuriteInfo.com.LNK.PowerShell.Exec-5.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30517.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLook.20220523.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EviLNK.PKillLnkMSHTA.20220823.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69e21b7ff68adfe1003abd32
Tags:
autorun xtreme shell sage
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/af5bc8fc2df1debff6eeeb376cb5bd84ae7a16f22eff147241f520cc9966e51a/results/dashboard
Payload URLs
URL
File name
http://overly.dinergysolutions.org
LNK File
Behaviour
BlacklistAPI detected
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/af5bc8fc2df1debff6eeeb376cb5bd84ae7a16f22eff147241f520cc9966e51a
Verdict:
Malicious
File Type:
lnk
First seen:
2026-04-15T14:36:00Z UTC
Last seen:
2026-04-19T03:08:00Z UTC
Hits:
~10
Detections:
Trojan.WinLNK.Agent.sb Trojan.Win32.Agent.sb HEUR:Trojan.HTA.SAgent.gen PDM:Exploit.Win32.Generic HEUR:Trojan.Script.Generic HEUR:Trojan.WinLNK.Agent.gen HEUR:Trojan.Multi.GenBadur.genw Trojan.JS.SAgent.sb Trojan-Dropper.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/af5bc8fc2df1debff6eeeb376cb5bd84ae7a16f22eff147241f520cc9966e51a/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1900212
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected malicious Powershell script
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1900212 Sample: Password.txt.lnk Startdate: 17/04/2026 Architecture: WINDOWS Score: 100 55 overly.dinergysolutions.org 2->55 57 cablestreamstore.com 2->57 59 bandgarms.com 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for URL or domain 2->65 67 18 other signatures 2->67 9 cmd.exe 1 2->9         started        12 wscript.exe 2->12         started        14 wscript.exe 2->14         started        16 2 other processes 2->16 signatures3 process4 dnsIp5 85 Windows shortcut file (LNK) starts blacklisted processes 9->85 87 Wscript starts Powershell (via cmd or directly) 9->87 89 PowerShell case anomaly found 9->89 20 powershell.exe 15 9->20         started        23 conhost.exe 9->23         started        25 cmd.exe 12->25         started        91 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->91 93 Suspicious execution chain found 14->93 95 Creates processes via WMI 14->95 49 overly.dinergysolutions.org 192.64.119.254, 49717, 80 NAMECHEAP-NETUS United States 16->49 51 bandgarms.com 193.26.115.146, 443, 49719, 49720 QUICKPACKETUS Netherlands 16->51 45 DE81A8C0-2B02-4283-A41B-7F2F183D22B3.vbs, ASCII 16->45 dropped 47 DE81A8C0-2B02-4283-A41B-7F2F183D22B3.bat, ASCII 16->47 dropped 97 Uses schtasks.exe or at.exe to add and modify task schedules 16->97 27 notepad.exe 16->27         started        29 conhost.exe 16->29         started        31 schtasks.exe 1 16->31         started        file6 signatures7 process8 signatures9 69 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->69 71 Writes to foreign memory regions 20->71 73 Injects a PE file into a foreign processes 20->73 33 csc.exe 2 20->33         started        75 Windows shortcut file (LNK) starts blacklisted processes 25->75 77 Wscript starts Powershell (via cmd or directly) 25->77 79 PowerShell case anomaly found 25->79 36 powershell.exe 25->36         started        39 conhost.exe 25->39         started        process10 dnsIp11 53 cablestreamstore.com 209.99.187.182, 63244 ROYALEASNDE United States 33->53 41 WerFault.exe 21 33->41         started        81 Writes to foreign memory regions 36->81 83 Injects a PE file into a foreign processes 36->83 43 csc.exe 1 36->43         started        signatures12 process13
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af5bc8fc2df1debff6eeeb376cb5bd84ae7a16f22eff147241f520cc9966e51a/
Verdict:
Malicious
Threat:
Trojan.Win32.Agent
Link:
https://tip.neiki.dev/file/af5bc8fc2df1debff6eeeb376cb5bd84ae7a16f22eff147241f520cc9966e51a
Threat name:
Shortcut.Trojan.Ravartar
Create hunting rule
Status:
Malicious
First seen:
2026-04-16 00:13:20 UTC
File Type:
Binary
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v5n4r7bn6hpl75xo5m3wznn5qsxhufxsf37ri4sb6uqmzglg4una._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion discovery execution persistence ransomware rat trojan
Link:
https://tria.ge/reports/260417-rqey5sht3r/
Behaviour
Modifies registry class
Opens file in notepad (likely ransom note)
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Family: Xworm
Process spawned unexpected child process
Malware Config
C2 Extraction:
cablestreamstore.com:63244
Dropper Extraction:
http://overly.dinergysolutions.org
https://bandgarms.com/DGSOAFYJKXROATIQSWNZ
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/af5bc8fc2df1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/af5bc8fc2df1debff6eeeb376cb5bd84ae7a16f22eff147241f520cc9966e51a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments