MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e463226cbb26f2a9248dc8f40434bfadd2e718b5477d000414e32bcecc6900eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

N-W0rm

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	e463226cbb26f2a9248dc8f40434bfadd2e718b5477d000414e32bcecc6900eb
SHA3-384 hash:	9c897695e29383a39152074c8f0821262dd492d8bef376148e5556445dcbd22ac740ce3a628654c21f9b8a3df7a8a9d6
SHA1 hash:	eb01dda189bbd6c1802a28befe359e85f9e46875
MD5 hash:	29db20d5b0a1c537d5540e4e27b222b8
humanhash:	avocado-quiet-oranges-helium
File name:	RFQ0318200881102-02115.js
Download:	download sample
Signature	N-W0rm Create hunting rule
File size:	40'786 bytes
First seen:	2026-04-15 07:55:50 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	384:+tCAz8KgRCdM6YuXw/ooCsGVdXcwXWD/0bwK9pjbZ8tBCU2DB1lsl:YCAzdXdMfgoC5zi/0k
TLSH	T12803681625DFCB0861B216CA4A9F13300B9F799F1FBF8085418DEA894BD3A159C5A7F3
TrID	66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1) 33.3% (.MP3) MP3 audio (1000/1)
Magika	vba
Reporter	abuse_ch
Tags:	js N-W0rm

Intelligence

File Origin

# of uploads :

# of downloads :

133

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.26866.JsHeur.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69de1a2645787c53e5398b26

Tags:

xtreme shell blic

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 obfuscated powershell powershell powershell repaired

Link:

https://www.filescan.io/uploads/69df4578fd15f1ca1ccff57a/reports/22de2af6-ae76-4db8-8393-d8287d9dfe1e/overview

Verdict:

Suspicious

Labled as:

PowerShell/TrojanDownloader.Agent

Link:

https://www.hybrid-analysis.com/sample/e463226cbb26f2a9248dc8f40434bfadd2e718b5477d000414e32bcecc6900eb

Verdict:

Malicious

File Type:

First seen:

2026-04-14T07:50:00Z UTC

Last seen:

2026-04-15T06:37:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan.Script.Generic HEUR:Trojan.PowerShell.Generic PDM:Trojan.Win32.Generic Trojan.JS.SAgent.sb

Link:

https://opentip.kaspersky.com/e463226cbb26f2a9248dc8f40434bfadd2e718b5477d000414e32bcecc6900eb/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1898530

Signature

Bypasses PowerShell execution policy

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

JScript performs obfuscated calls to suspicious functions

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Execution of Powershell Script in Public Folder

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

WScript reads language and country specific registry keys (likely country aware script)

Wscript starts Powershell (via cmd or directly)

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/e463226cbb26f2a9248dc8f40434bfadd2e718b5477d000414e32bcecc6900eb

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e463226cbb26f2a9248dc8f40434bfadd2e718b5477d000414e32bcecc6900eb/

Verdict:

Malicious

Threat:

Trojan.JS.SAgent

Link:

https://tip.neiki.dev/file/e463226cbb26f2a9248dc8f40434bfadd2e718b5477d000414e32bcecc6900eb

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2026-04-14 10:42:54 UTC

File Type:

Text (JavaScript)

AV detection:

10 of 38 (26.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4rrse3f3e3zksjenzd2ainf7vxjoogfvi56qabau4mv45tdjadvq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

defense_evasion discovery execution persistence

Link:

https://tria.ge/reports/260415-jtrhcacs6s/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Indicator Removal: File Deletion

.NET Reactor proctector

Checks computer location settings

Badlisted process makes network request

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e463226cbb26f2a9248dc8f40434bfadd2e718b5477d000414e32bcecc6900eb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample