MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be4308b1266c148eb7c778aa68d58dffb1350aa556d7bd58d8ff3a0d2ad449fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be4308b1266c148eb7c778aa68d58dffb1350aa556d7bd58d8ff3a0d2ad449fa
SHA3-384 hash: 716b2432739352005c81397144c3caaa7b44f1c88506c0e1081ae4b853557728bc47cd9d41f4cc5a7140324a90137e8a
SHA1 hash: 6e5b84a067f94c243164e77a8a44540477c5f8dc
MD5 hash: e4a863c245a08f0e2216d89d6d53aa2a
humanhash: mountain-july-freddie-high
File name:26010073- singed.pdf.JS
Download: download sample
Signature XWorm
Create hunting rule
File size:6'613'271 bytes
First seen:2026-06-11 14:39:13 UTC
Last seen:2026-06-11 14:40:44 UTC
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 98304:3czVhSKY79lb53jihxgKWH5orFrWLtyiNpGNMsl/8FquA63uuD0PUAIj9Ce:3YU9TwbQUB/cEUtpCe
TLSH T1F666F0310354DA71C26C5AAEA6F97118140D5DCE98F9FB093A6A47B10276833E3BF7B1
Magika txt
Reporter lowmal3
Tags:js xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Suspicious
Score:
50.0%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a2ac8b534eaf30d8ce4e259
Tags:
spawn blic
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug dropper evasive obfuscated obfuscated packed repaired
Link:
https://www.filescan.io/uploads/6a2ac8ab8161ac6cb55f27ed/reports/27119bbb-352d-49ad-b3af-5c220be12310/overview
Verdict:
Suspicious
Labled as:
JS/Agent.DLR
Link:
https://www.hybrid-analysis.com/sample/be4308b1266c148eb7c778aa68d58dffb1350aa556d7bd58d8ff3a0d2ad449fa
Verdict:
Malicious
File Type:
js
First seen:
2026-06-11T00:28:00Z UTC
Last seen:
2026-06-11T11:34:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/be4308b1266c148eb7c778aa68d58dffb1350aa556d7bd58d8ff3a0d2ad449fa/results?tab=lookup
Result
Threat name:
DonutLoader, FormBook, XWorm
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1926692
Signature
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found API chain indicative of debugger detection
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Parent Double Extension File Execution
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses an obfuscated file name to hide its real file extension (double extension)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Yara detected DonutLoader
Yara detected FormBook
Yara detected Lua decrypt and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1926692 Sample: 26010073- singed.pdf.JS.js Startdate: 11/06/2026 Architecture: WINDOWS Score: 100 80 www.xsamxsvfy3u80wi.sbs 2->80 82 www.xdosug-tver.ru 2->82 84 26 other IPs or domains 2->84 96 Suricata IDS alerts for network traffic 2->96 98 Found malware configuration 2->98 100 Malicious sample detected (through community Yara rule) 2->100 102 17 other signatures 2->102 12 wscript.exe 1 4 2->12         started        16 XWormClient.exe 1 2->16         started        18 XWormClient.exe 1 2->18         started        signatures3 process4 file5 70 C:\Users\Public\...\IEVNLIWAQEUWOSJI.exe, PE32 12->70 dropped 72 C:\Users\Public\...\IEVNLIWAQEUWOSJI.ttf, ASCII 12->72 dropped 124 Benign windows process drops PE files 12->124 126 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->126 128 WScript reads language and country specific registry keys (likely country aware script) 12->128 20 IEVNLIWAQEUWOSJI.exe 7 7 12->20         started        25 conhost.exe 16->25         started        27 conhost.exe 18->27         started        signatures6 process7 dnsIp8 86 94.154.32.163, 49712, 7004 STELLARGROUPSASFR France 20->86 66 C:\Users\user\AppData\Local\Temp\esxgjc.JS, Unicode 20->66 dropped 68 C:\Users\user\AppData\...\XWormClient.exe, PE32 20->68 dropped 104 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->104 106 Found API chain indicative of debugger detection 20->106 108 Unusual module load detection (module proxying) 20->108 110 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 20->110 29 wscript.exe 1 20->29         started        33 wscript.exe 3 20->33         started        35 conhost.exe 20->35         started        37 WerFault.exe 20->37         started        file9 signatures10 process11 file12 74 C:\Users\Public\...\OSUSTBLBQONPBKRS.exe, PE32 29->74 dropped 132 Windows Scripting host queries suspicious COM object (likely to drop second stage) 29->132 39 OSUSTBLBQONPBKRS.exe 29->39         started        76 C:\Users\Public\...\DANWTTXTEFSKYAGN.ttf, ASCII 33->76 dropped 78 C:\Users\Public\...\DANWTTXTEFSKYAGN.exe, PE32 33->78 dropped 134 WScript reads language and country specific registry keys (likely country aware script) 33->134 42 DANWTTXTEFSKYAGN.exe 3 33->42         started        signatures13 process14 dnsIp15 120 Maps a DLL or memory area into another process 39->120 45 PNCRjZCk8.exe 39->45 injected 48 conhost.exe 39->48         started        94 45.88.91.5 VIRTUO-12651980CANADAINCCA United States 42->94 122 Unusual module load detection (module proxying) 42->122 50 conhost.exe 42->50         started        52 WerFault.exe 42->52         started        signatures16 process17 signatures18 130 Maps a DLL or memory area into another process 45->130 54 clip.exe 45->54         started        process19 signatures20 112 Tries to steal Mail credentials (via file / registry access) 54->112 114 Tries to harvest and steal browser information (history, passwords, etc) 54->114 116 Modifies the context of a thread in another process (thread injection) 54->116 118 4 other signatures 54->118 57 JvrzHOAd6Tq7HD.exe 54->57 injected 60 chrome.exe 54->60         started        62 msedge.exe 54->62         started        64 firefox.exe 54->64         started        process21 dnsIp22 88 www.xdosug-tver.ru 80.79.4.168 WORLDSTREAMNL Netherlands 57->88 90 globalcargo.fun 31.131.27.5 VPS-UA-ASUA Netherlands 57->90 92 14 other IPs or domains 57->92
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/be4308b1266c148eb7c778aa68d58dffb1350aa556d7bd58d8ff3a0d2ad449fa
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be4308b1266c148eb7c778aa68d58dffb1350aa556d7bd58d8ff3a0d2ad449fa/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xzbqrmjgnqki5n6hpcvgrvmn76ytkcvfk3l32wgy745a2kwujh5a._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
xworm
Create hunting rule
Similar samples:
error
XWorm
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:formbook family:xworm collection discovery execution loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/260611-r1mfzagx5n/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Detect Xworm Payload
Detects DonutLoader
Family: DonutLoader
Family: Formbook
Family: Xworm
Formbook payload
Malware Config
C2 Extraction:
94.154.32.163:7004
45.88.91.5:7004
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be4308b1266c148eb7c778aa68d58dffb1350aa556d7bd58d8ff3a0d2ad449fa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Java Script (JS) js be4308b1266c148eb7c778aa68d58dffb1350aa556d7bd58d8ff3a0d2ad449fa

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments