MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea84300a2c8500206df527ef2d2559a328e9b3efd41717c1a4d3e865d602c316. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea84300a2c8500206df527ef2d2559a328e9b3efd41717c1a4d3e865d602c316
SHA3-384 hash: 127c6c78824cce092e2d6df8a18f632504e1f11cdf50ddbf6238df6ffe5ae63267c9a65b0a605bc9c36bb4079971424e
SHA1 hash: 947be03f0dea6a9abc6b5640a6c02c37ec9c8ee2
MD5 hash: a7cd009710225cecaaa291664aebd79e
humanhash: texas-ohio-mexico-xray
File name:PO-09609-MQ-0975-QN-0970-200MM-0850-06-26.JS
Download: download sample
Signature XWorm
Create hunting rule
File size:3'652'168 bytes
First seen:2026-06-04 06:21:18 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 98304:JFwYROezdlQ5cuVJpXW4wwI5S8BGhHvZLh8cYpQhFsAJJAZW:J+SU/VfX6wI5SFvZLhvvaZW
TLSH T13EF594C117418076626EB36C8577752096AF402331CAEF0730DEA374B658D7BA396AFB
Magika javascript
Reporter abuse_ch
Tags:js xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a2119a157b7bf261d60c397
Tags:
shell sage blic
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug dropper evasive obfuscated obfuscated packed repaired
Link:
https://www.filescan.io/uploads/6a211983099ef368af1c9cbf/reports/d71cd634-5b2d-48fc-98ef-fc1e148dc54b/overview
Verdict:
Suspicious
Labled as:
JS/Agent.DLR
Link:
https://www.hybrid-analysis.com/sample/ea84300a2c8500206df527ef2d2559a328e9b3efd41717c1a4d3e865d602c316
Verdict:
Malicious
File Type:
js
First seen:
2026-06-03T22:42:00Z UTC
Last seen:
2026-06-06T03:04:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.Script.Generic HEUR:Trojan-Dropper.Script.Generic HEUR:Trojan-Downloader.Script.Generic PDM:Trojan.Win32.Generic Backdoor.Agent.TCP.C&C
Link:
https://opentip.kaspersky.com/ea84300a2c8500206df527ef2d2559a328e9b3efd41717c1a4d3e865d602c316/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1922683
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected malicious Powershell script
Benign windows process drops PE files
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Yara detected Lua decrypt and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1922683 Sample: PO-09609-MQ-0975-QN-0970-20... Startdate: 04/06/2026 Architecture: WINDOWS Score: 100 100 keyauth.win 2->100 104 Suricata IDS alerts for network traffic 2->104 106 Yara detected Lua decrypt and execute 2->106 108 Yara detected XWorm 2->108 110 12 other signatures 2->110 13 wscript.exe 1 3 2->13         started        signatures3 process4 file5 84 C:\Users\Public\...\AQFJHIAXJLCGWOCN.exe, PE32 13->84 dropped 86 C:\Users\Public\...\AQFJHIAXJLCGWOCN.ttf, ASCII 13->86 dropped 124 Benign windows process drops PE files 13->124 126 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->126 128 Suspicious execution chain found 13->128 130 WScript reads language and country specific registry keys (likely country aware script) 13->130 17 AQFJHIAXJLCGWOCN.exe 2 8 13->17         started        signatures6 process7 dnsIp8 98 45.133.116.16, 49709, 8823 M247RO France 17->98 74 C:\Users\user\AppData\...\p322xdlgkfx.exe, PE32+ 17->74 dropped 76 C:\Users\user\AppData\...\vefciw4lah4.ps1, ASCII 17->76 dropped 112 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->112 114 Encrypted powershell cmdline option found 17->114 116 Bypasses PowerShell execution policy 17->116 118 Unusual module load detection (module proxying) 17->118 22 powershell.exe 22 17->22         started        26 csc.exe 4 17->26         started        28 csc.exe 3 17->28         started        30 3 other processes 17->30 file9 signatures10 process11 file12 80 C:\Users\user\AppData\...\tdrjgvc1.cmdline, Unicode 22->80 dropped 120 Suspicious powershell command line found 22->120 32 powershell.exe 22->32         started        34 csc.exe 22->34         started        37 conhost.exe 22->37         started        82 C:\Users\user\...\AQFJHIAXJLCGWOCN.exe, PE32 26->82 dropped 39 conhost.exe 26->39         started        41 cvtres.exe 1 26->41         started        43 conhost.exe 28->43         started        45 cvtres.exe 1 28->45         started        signatures13 process14 file15 47 p322xdlgkfx.exe 32->47         started        51 csc.exe 32->51         started        53 conhost.exe 32->53         started        78 C:\Users\user\AppData\Local\...\tdrjgvc1.dll, PE32 34->78 dropped 55 cvtres.exe 34->55         started        process16 file17 88 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 47->88 dropped 90 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 47->90 dropped 92 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 47->92 dropped 96 58 other malicious files 47->96 dropped 102 Multi AV Scanner detection for dropped file 47->102 57 p322xdlgkfx.exe 47->57         started        94 C:\Users\user\AppData\Local\...\ps3wp0kq.dll, PE32 51->94 dropped 60 cvtres.exe 51->60         started        signatures18 process19 signatures20 122 Tries to harvest and steal browser information (history, passwords, etc) 57->122 62 taskkill.exe 57->62         started        64 taskkill.exe 57->64         started        66 taskkill.exe 57->66         started        process21 process22 68 conhost.exe 62->68         started        70 conhost.exe 64->70         started        72 conhost.exe 66->72         started       
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea84300a2c8500206df527ef2d2559a328e9b3efd41717c1a4d3e865d602c316/
Verdict:
Malicious
Threat:
Backdoor.Agent.TCP
Link:
https://tip.neiki.dev/file/ea84300a2c8500206df527ef2d2559a328e9b3efd41717c1a4d3e865d602c316
Threat name:
Script-JS.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-04 03:01:24 UTC
File Type:
Text (JavaScript)
AV detection:
9 of 23 (39.13%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5kcdacrmquaca3pve7xs2jkzumuotm7p2qlrpqne2puglvqcymla._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
donutloader
Create hunting rule
Similar samples:
error
XWorm
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:xworm collection defense_evasion discovery execution loader pyinstaller rat spyware stealer trojan upx
Link:
https://tria.ge/reports/260604-g4rvraby8n/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: PowerShell
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
UPX packed file
Accesses Microsoft Outlook profiles
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Detect Xworm Payload
Detects DonutLoader
Family: DonutLoader
Family: Xworm
Malware Config
C2 Extraction:
45.133.116.16:8823
BiMQuT238p64emYwAjhVaw==:23
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea84300a2c8500206df527ef2d2559a328e9b3efd41717c1a4d3e865d602c316

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments