MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2d37a411be06457caf2304ba93bc85e447082acbbc8c82f6d171e7911045751. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2d37a411be06457caf2304ba93bc85e447082acbbc8c82f6d171e7911045751
SHA3-384 hash: d7cdd8c076febfe0f8c1fc551244971b68321071e30213df21858fbc4b0fcfb3b4ed4d3b51e70bbd07f47db3c4317cc6
SHA1 hash: 0e27b805ea2912c6e619e16a429820d5014b7500
MD5 hash: 36f7f4d6eb585a5d5eff759287f6b8d7
humanhash: montana-five-missouri-autumn
File name:Aviso_Pagamento_SantanderBrasil_20240317.lnk
Download: download sample
Signature XWorm
Create hunting rule
File size:2'383 bytes
First seen:2025-08-08 16:39:50 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 48:8W9mf74zJSvZtJbkT/kO+xADSPodLXuHH3j3nul9:8qN47Yg/xADDuTul
TLSH T1D841E1052BE80715E2F34F3155BBAF56A57BBC1AEB25AE1E0082124948B2A10DC25F7B
Magika lnk
Reporter abuse_ch
Tags:lnk xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
51
Origin country :
SE SE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30777.LnkHeur.UNOFFICIAL
Create hunting rule

MiscreantPunch.INFO.LNK.CMDPSHELL.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADaypshell.20231121.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LavenderBones.20240515.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.HotMetalDobermans.20240516.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689628981e8a59ee04e78959
Tags:
autorun xtreme shell virus
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/b2d37a411be06457caf2304ba93bc85e447082acbbc8c82f6d171e7911045751/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
Trojan.PowerShell.LNK.Generic.12;BZC.PZQ.Boxter.791
Link:
https://www.hybrid-analysis.com/sample/b2d37a411be06457caf2304ba93bc85e447082acbbc8c82f6d171e7911045751
Result
Verdict:
MALICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1753191
Signature
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) starts blacklisted processes
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1753191 Sample: Aviso_Pagamento_SantanderBr... Startdate: 08/08/2025 Architecture: WINDOWS Score: 100 119 xmbless25.duckdns.org 2->119 121 latencyx.pythonanywhere.com 2->121 129 Found malware configuration 2->129 131 Malicious sample detected (through community Yara rule) 2->131 133 Windows shortcut file (LNK) starts blacklisted processes 2->133 137 23 other signatures 2->137 12 cmd.exe 1 2->12         started        15 cmd.exe 1 2->15         started        17 cmd.exe 1 2->17         started        19 7 other processes 2->19 signatures3 135 Uses dynamic DNS services 119->135 process4 dnsIp5 153 Windows shortcut file (LNK) starts blacklisted processes 12->153 155 Suspicious powershell command line found 12->155 157 Wscript starts Powershell (via cmd or directly) 12->157 159 Bypasses PowerShell execution policy 12->159 22 powershell.exe 17 18 12->22         started        27 conhost.exe 1 12->27         started        29 cmd.exe 1 15->29         started        31 conhost.exe 15->31         started        33 cmd.exe 1 17->33         started        35 conhost.exe 17->35         started        123 127.0.0.1 unknown unknown 19->123 37 cmd.exe 19->37         started        39 cmd.exe 19->39         started        41 10 other processes 19->41 signatures6 process7 dnsIp8 125 latencyx.pythonanywhere.com 35.173.69.207, 443, 49681 AMAZON-AESUS United States 22->125 113 C:\Users\user\AppData\Local\Temp\tmp2066.js, ASCII 22->113 dropped 141 Drops script or batch files to the startup folder 22->141 143 Found suspicious powershell code related to unpacking or dynamic code loading 22->143 43 wscript.exe 1 1 22->43         started        47 cmd.exe 1 29->47         started        145 Windows shortcut file (LNK) starts blacklisted processes 33->145 49 cmd.exe 1 33->49         started        51 cmd.exe 37->51         started        53 cmd.exe 39->53         started        55 cmd.exe 41->55         started        57 cmd.exe 41->57         started        59 cmd.exe 41->59         started        61 cmd.exe 41->61         started        file9 signatures10 process11 file12 115 C:\Users\user\AppData\...\SilverEagle.bat, ASCII 43->115 dropped 161 Wscript starts Powershell (via cmd or directly) 43->161 163 Windows Scripting host queries suspicious COM object (likely to drop second stage) 43->163 165 Suspicious execution chain found 43->165 167 Creates processes via WMI 43->167 63 cmd.exe 1 43->63         started        66 2 other processes 47->66 169 Windows shortcut file (LNK) starts blacklisted processes 49->169 171 Suspicious powershell command line found 49->171 69 2 other processes 49->69 71 2 other processes 51->71 73 2 other processes 53->73 75 2 other processes 55->75 77 2 other processes 57->77 79 2 other processes 59->79 81 2 other processes 61->81 signatures13 process14 file15 173 Windows shortcut file (LNK) starts blacklisted processes 63->173 83 cmd.exe 1 63->83         started        86 conhost.exe 63->86         started        97 C:\Users\user\AppData\Roaming\...\8c68.bat, ASCII 66->97 dropped 99 C:\Users\user\AppData\Roaming\...\a4a6.bat, ASCII 69->99 dropped 101 C:\Users\user\AppData\Roaming\...\56b2.bat, ASCII 71->101 dropped 103 C:\Users\user\AppData\Roaming\...\bffe.bat, ASCII 73->103 dropped 105 C:\Users\user\AppData\Roaming\...\e7dd.bat, ASCII 75->105 dropped 107 C:\Users\user\AppData\Roaming\...\16a1.bat, ASCII 77->107 dropped 109 C:\Users\user\AppData\Roaming\...\4ed1.bat, ASCII 79->109 dropped 111 C:\Users\user\AppData\Roaming\...\38e7.bat, ASCII 81->111 dropped signatures16 process17 signatures18 139 Windows shortcut file (LNK) starts blacklisted processes 83->139 88 cmd.exe 2 83->88         started        process19 signatures20 147 Windows shortcut file (LNK) starts blacklisted processes 88->147 149 Suspicious powershell command line found 88->149 151 Wscript starts Powershell (via cmd or directly) 88->151 91 powershell.exe 3 19 88->91         started        95 conhost.exe 88->95         started        process21 dnsIp22 127 xmbless25.duckdns.org 104.161.16.249, 6000 IOFLOODUS United States 91->127 117 C:\Users\user\AppData\Roaming\...\f204.bat, ASCII 91->117 dropped file23
Verdict:
Malware
YARA:
4 match(es)
Tags:
Batch Command DeObfuscated Execution: CMD in LNK Execution: PowerShell in LNK LNK LOLBin LOLBin:cmd.exe Malicious PowerShell PowerShell Call T1059.001 T1059.003 T1202: Indirect Command Execution T1204.002
Link:
https://app.malva.re/file/36f7f4d6eb585a5d5eff759287f6b8d7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2d37a411be06457caf2304ba93bc85e447082acbbc8c82f6d171e7911045751/
Threat name:
Shortcut.Backdoor.Kimsuky
Create hunting rule
Status:
Malicious
First seen:
2025-08-07 23:02:25 UTC
File Type:
Binary
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wljxuqi34bsfpsxsgbf2so6ilzchbavmxpemql3nc4phseiek5iq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
error
XWorm
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/250808-t6ysasap31/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Detect Xworm Payload
Process spawned unexpected child process
Xworm
Xworm family
Malware Config
C2 Extraction:
xmbless25.duckdns.org:6000
Dropper Extraction:
https://latencyx.pythonanywhere.com/download/05aedb05a9f147dba823e198b2ac79db.txt
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b2d37a411be0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2d37a411be06457caf2304ba93bc85e447082acbbc8c82f6d171e7911045751

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious
Rule name:SUSP_LNK_SuspiciousCommands
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects LNK file with suspicious content
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments