MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea2202c4b0c1249b69feae8f54620de216873ced23bb957931fcf943f73e8ef9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea2202c4b0c1249b69feae8f54620de216873ced23bb957931fcf943f73e8ef9
SHA3-384 hash: 407734320929bfe45cd2dd98e7623f8fc36990399c1cb60a5439d014be96a6038e934e77b5e5eb47686a9d76a66cf384
SHA1 hash: 9c284a5c26d1ffc4718c97ae634f54c4c6c69ff5
MD5 hash: 9958ce306d13872e1e7bb477c867c524
humanhash: saturn-kansas-don-sixteen
File name:H09876567890009.JS
Download: download sample
Signature XWorm
Create hunting rule
File size:6'887'919 bytes
First seen:2025-06-30 14:00:03 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:GfHofoVqiiAeUyZ+TRNYPUJISd3Zy1nYAF8gVXVFRfjvnx3BhIz/VmhCoqEuOhHJ:Gfq
Threatray 27 similar samples on MalwareBazaar
TLSH T11D664F9E8D0BF7833142DFE0BA88AD9AE07B96C317027A7070DC5D09B35DD6629DC658
Magika javascript
Reporter abuse_ch
Tags:js xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
SE SE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PUA.JS.Obfus-2525.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.JS.Obfus-2179.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686298ba37c343677947cc02
Tags:
autorun emotet delphi
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context dropper evasive fingerprint keylogger obfuscated packed
Link:
https://www.filescan.io/uploads/6862989eee5b1c8f3d212cb3/reports/5f6f566b-e9fb-4ece-8358-3b7ee7886c70/overview
Verdict:
Malicious
Labled as:
Trojan/JS.Obfuscator
Link:
https://www.hybrid-analysis.com/sample/ea2202c4b0c1249b69feae8f54620de216873ced23bb957931fcf943f73e8ef9
Result
Threat name:
DBatLoader, PureLog Stealer, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1725623
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with a suspicious file extension
Found malware configuration
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected PureLog Stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1725623 Sample: H09876567890009.JS.js Startdate: 30/06/2025 Architecture: WINDOWS Score: 100 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 16 other signatures 2->52 8 wscript.exe 1 5 2->8         started        11 rundll32.exe 3 2->11         started        process3 signatures4 66 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->66 13 H09876567890009.JS.js.pif 7 8->13         started        16 Buorfitb.PIF 1 11->16         started        process5 file6 68 Writes to foreign memory regions 13->68 70 Allocates memory in foreign processes 13->70 72 Sample uses process hollowing technique 13->72 74 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 13->74 19 btifrouB.pif 1 3 13->19         started        24 cmd.exe 1 13->24         started        26 cmd.exe 1 13->26         started        28 cmd.exe 1 13->28         started        40 C:\Users\Public\Libraries\btifrouB.pif, PE32 16->40 dropped 76 Drops PE files with a suspicious file extension 16->76 78 Allocates many large memory junks 16->78 30 btifrouB.pif 1 16->30         started        signatures7 process8 dnsIp9 44 198.12.126.169, 49722, 8780 AS-COLOCROSSINGUS United States 19->44 42 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 19->42 dropped 54 Tries to steal Mail credentials (via file / registry access) 19->54 56 Tries to harvest and steal browser information (history, passwords, etc) 19->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 24->58 32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 schtasks.exe 1 26->36         started        38 conhost.exe 28->38         started        60 Detected unpacking (changes PE section rights) 30->60 62 Detected unpacking (overwrites its own PE header) 30->62 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->64 file10 signatures11 process12
Score:
96%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ea2202c4b0c1249b69feae8f54620de216873ced23bb957931fcf943f73e8ef9
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea2202c4b0c1249b69feae8f54620de216873ced23bb957931fcf943f73e8ef9/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5irafrfqyesjw2p6v2hviyqn4iliophneo5zk6jr7t4uh5z6r34q._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
unc_loader_001
Create hunting rule
Similar samples:
373a59724445fe6a91b6c0d1aff0ec54277faf061a4960d0e7e13fcebedfa709
XWorm
5f8469ff520ad563203f02d05f56eb5733cac27fb4361dc15ff3bc80aa78745d
XWorm
7ccc6e02a9571b7e04dd21f1571e3db4f5af3c61d6fbb17c691014621a4b4eb7
XWorm
a7d85600396969e5a2210cdc61f7f6efbbe15a279bfd65de8fa448a7ce0f354f
XWorm
e96a2b993722bee3393df92be9f4ec233673a7057c4fc8d31c5463f28368994b
XWorm
ea2202c4b0c1249b69feae8f54620de216873ced23bb957931fcf943f73e8ef9
XWorm
error
XWorm
+ 17 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xworm collection discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250630-rbc61acl6s/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ModiLoader Second Stage
Detect Xworm Payload
ModiLoader, DBatLoader
Modiloader family
Xworm
Xworm family
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ea2202c4b0c1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea2202c4b0c1249b69feae8f54620de216873ced23bb957931fcf943f73e8ef9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments