MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5090bf88e382f6a4db66fd00a5d730fa509b2279d4573bb54204c432ad619e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

N-W0rm

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	e5090bf88e382f6a4db66fd00a5d730fa509b2279d4573bb54204c432ad619e7
SHA3-384 hash:	34e9a6c57e8a5e651f865ef175294c3fdb141c000fb72de7245694ad52e5ee46b666f7fd7c79f4913fd7d85fe781c348
SHA1 hash:	3a62aa9414c15d1bd7705bb8fd2da47c028a140d
MD5 hash:	00dd3017d15a25e379d9371c91a96e40
humanhash:	vermont-kansas-cold-lima
File name:	IQ05520888211000-08211.js
Download:	download sample
Signature	N-W0rm Create hunting rule
File size:	40'978 bytes
First seen:	2026-04-15 07:56:28 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	384:6KzA8KgRCdM6Y1YGnnls5VVxcmsWDd0bD:6KzAdXdM8QnlWsid0v
TLSH	T145036715399FCB0861B216CA469F03750BAFB65F0FBF80D5448DEE894FD3521889A7B2
TrID	66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1) 33.3% (.MP3) MP3 audio (1000/1)
Magika	vba
Reporter	abuse_ch
Tags:	js N-W0rm

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.26866.JsHeur.UNOFFICIAL

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69de2bc945787c53e5399473

Tags:

xtreme shell blic

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 nemucod obfuscated powershell powershell powershell repaired

Link:

https://www.filescan.io/uploads/69df457e799d5bf325ff39e5/reports/58166f20-f21f-416f-b502-815e10148735/overview

Verdict:

Suspicious

Labled as:

PowerShell/TrojanDownloader.Agent

Link:

https://www.hybrid-analysis.com/sample/e5090bf88e382f6a4db66fd00a5d730fa509b2279d4573bb54204c432ad619e7

Verdict:

Malicious

File Type:

First seen:

2026-04-14T09:02:00Z UTC

Last seen:

2026-04-15T06:37:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan.Script.Generic HEUR:Trojan.PowerShell.Generic PDM:Trojan.Win32.Generic Trojan.JS.SAgent.sb

Link:

https://opentip.kaspersky.com/e5090bf88e382f6a4db66fd00a5d730fa509b2279d4573bb54204c432ad619e7/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1898521

Signature

Bypasses PowerShell execution policy

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

JScript performs obfuscated calls to suspicious functions

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Execution of Powershell Script in Public Folder

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

WScript reads language and country specific registry keys (likely country aware script)

Wscript starts Powershell (via cmd or directly)

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/e5090bf88e382f6a4db66fd00a5d730fa509b2279d4573bb54204c432ad619e7

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e5090bf88e382f6a4db66fd00a5d730fa509b2279d4573bb54204c432ad619e7/

Verdict:

Malicious

Threat:

Trojan.JS.SAgent

Link:

https://tip.neiki.dev/file/e5090bf88e382f6a4db66fd00a5d730fa509b2279d4573bb54204c432ad619e7

Threat name:

Win32.Trojan.Ravartar

Status:

Malicious

First seen:

2026-04-14 11:58:09 UTC

File Type:

Text (JavaScript)

AV detection:

10 of 38 (26.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4ueqx6eohaxwutnwn7iauxltb6sqtmrhtvcxho2uebgegkwwdhtq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

defense_evasion discovery execution persistence

Link:

https://tria.ge/reports/260415-jvpp5shs4m/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Indicator Removal: File Deletion

.NET Reactor proctector

Checks computer location settings

Badlisted process makes network request

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e5090bf88e382f6a4db66fd00a5d730fa509b2279d4573bb54204c432ad619e7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample