MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b65da47cf6dc6bc5ae6db9041f67c97a04f28672cea65e7ad9a0359391cdde48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b65da47cf6dc6bc5ae6db9041f67c97a04f28672cea65e7ad9a0359391cdde48
SHA3-384 hash: 557c9d37afc61a4e837b2ca84e317a74097bd2f1243eb18114c94f931924de903e8c51a3476f75a67e4ca478d3c1c0bc
SHA1 hash: ca7f6535c978c06b0fa8872be67ea8ab8aa97c6a
MD5 hash: bc136da985c1402a1181f4dbc30e5fdd
humanhash: quiet-quebec-foxtrot-beryllium
File name:bc136da985c1402a1181f4dbc30e5fdd.js
Download: download sample
Signature XWorm
Create hunting rule
File size:1'169'300 bytes
First seen:2026-03-11 08:19:13 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 24576:2CC+H5LL6yIapIahCRHCyQkJ60uCHQALFL6CutHLtH6R+QHRL6CJLHNMSwetSL60:pBV
Threatray 1'502 similar samples on MalwareBazaar
TLSH T1664509B2B1B24DC02617EE2CCC9A6605DCC90A2E17BFCF50FED1A6897587C657423E19
Magika javascript
Reporter abuse_ch
Tags:js xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.VBS.Starter.519.2615.5055.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b125dce5dc8e2b2c3266a7
Tags:
obfuscate autorun xtreme virus
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
repaired
Link:
https://www.filescan.io/uploads/69b125aad967dbda74f213bc/reports/6afac535-7c96-4bd5-a596-aa0d2935e74c/overview
Verdict:
Malicious
Labled as:
GT:JS.ObfPadding.1
Link:
https://www.hybrid-analysis.com/sample/b65da47cf6dc6bc5ae6db9041f67c97a04f28672cea65e7ad9a0359391cdde48
Verdict:
Malicious
File Type:
js
Detections:
Trojan.VBS.SAgent.sb PDM:Trojan.Win32.Generic Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Startup.gen HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/b65da47cf6dc6bc5ae6db9041f67c97a04f28672cea65e7ad9a0359391cdde48/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1881728
Signature
Creates processes via WMI
Drops script or batch files to the startup folder
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries the IP of a very long domain name
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected MSIL Injector
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1881728 Sample: YaoBE6WOir.js Startdate: 11/03/2026 Architecture: WINDOWS Score: 100 29 bafybeibwz6lzwo6u5gkhp3ydl4te3hl3plfkypox6mnejssqwfrpdsmqoy.ipfs.dweb.link 2->29 31 ia601609.us.archive.org 2->31 39 Suricata IDS alerts for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 47 7 other signatures 2->47 8 wscript.exe 1 3 2->8         started        12 svchost.exe 1 1 2->12         started        15 powershell.exe 14 16 2->15         started        17 wscript.exe 1 2->17         started        signatures3 45 Queries the IP of a very long domain name 29->45 process4 dnsIp5 25 C:\Users\...\YaoBE6WOir.js:Zone.Identifier, ASCII 8->25 dropped 27 C:\Users\user\AppData\...\YaoBE6WOir.js, Unicode 8->27 dropped 49 Suspicious powershell command line found 8->49 51 Wscript starts Powershell (via cmd or directly) 8->51 53 Drops script or batch files to the startup folder 8->53 57 2 other signatures 8->57 33 127.0.0.1 unknown unknown 12->33 55 Creates processes via WMI 12->55 35 bafybeibwz6lzwo6u5gkhp3ydl4te3hl3plfkypox6mnejssqwfrpdsmqoy.ipfs.dweb.link 209.94.90.3, 443, 49684, 49691 PROTOCOLUS United States 15->35 37 ia601609.us.archive.org 207.241.227.89, 443, 49683, 49690 INTERNET-ARCHIVEUS United States 15->37 19 conhost.exe 15->19         started        21 powershell.exe 17->21         started        file6 signatures7 process8 process9 23 conhost.exe 21->23         started       
Score:
18%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/b65da47cf6dc6bc5ae6db9041f67c97a04f28672cea65e7ad9a0359391cdde48
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b65da47cf6dc6bc5ae6db9041f67c97a04f28672cea65e7ad9a0359391cdde48/
Verdict:
Malicious
Threat:
Family.REVERSELOADER
Link:
https://tip.neiki.dev/file/b65da47cf6dc6bc5ae6db9041f67c97a04f28672cea65e7ad9a0359391cdde48
Threat name:
Script-JS.Trojan.ObfPadding
Create hunting rule
Status:
Malicious
First seen:
2026-03-11 01:01:51 UTC
File Type:
Text (JavaScript)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wzo2i7hw3rv4lltnxecb6z6jpicpfbtsz2tf46wzua2zheon3zea._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
0794dde51a3d0c0c712fa764940be7ff12b83e73ffe33ac9c5d0847fc50d9075
XWorm
0f425d11e80b7cf493fb42d4f4866efb68169d3c5b1a90af93ceef9a82649b5f
XWorm
4fc5db02f555a38fe3a0153e1f7d8261fc545a9ac7a2951a4558f5571b20531d
XWorm
e45fdbb2d13cde33ef20e43a38308dca4bbe4718c01268ae960e3e105494923d
XWorm
error
XWorm
f3da246accb9e31bdb4e51187dada28e4c71a927c56adea2333fb9625b1bf7f5
XWorm
+ 1'492 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:remcos family:xworm botnet:remotehost discovery execution persistence rat trojan
Link:
https://tria.ge/reports/260311-j7729ahs5x/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Executes dropped EXE
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Process spawned unexpected child process
Remcos
Remcos family
Xworm
Xworm family
Malware Config
C2 Extraction:
198.23.175.51:4078
198.23.175.51:4079
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/b65da47cf6dc6bc5ae6db9041f67c97a04f28672cea65e7ad9a0359391cdde48

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments