MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0c6530004391cf1d41fb844ddfc26736baf935a52525f029d42c3dd0f6ec315. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0c6530004391cf1d41fb844ddfc26736baf935a52525f029d42c3dd0f6ec315
SHA3-384 hash: e258d830ce670bfa4294b9f90c964106707131cbaf2bc4360468b3c6e0d9207934b4d158832701ca7396c7222e6f6c1c
SHA1 hash: 4c361d0c807bcd9d613bffead3fc3a3c56a7da99
MD5 hash: df742cf5463ff13a2777ea666d30e701
humanhash: quebec-fifteen-friend-lamp
File name:awb_Dhl_Shipping_documents_delivery_09_06_2025_0000000000000_pdf.lnk
Download: download sample
Signature XWorm
Create hunting rule
File size:2'398 bytes
First seen:2025-06-09 15:23:28 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 48:8QOnVw1JH+ZtJbkT580ADSPodLXuHm0Y0mSJH:8H0HM7Ye0ADDuG0Y0mS
Threatray 709 similar samples on MalwareBazaar
TLSH T1FC4133152BF90718E2F39E3598BBAA619977FD15FE228E1D008612490873B00E957F3B
Magika lnk
Reporter abuse_ch
Tags:DHL lnk xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30777.LnkHeur.UNOFFICIAL
Create hunting rule

MiscreantPunch.INFO.LNK.CMDPSHELL.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADaypshell.20231121.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LavenderBones.20240515.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.HotMetalDobermans.20240516.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6846fcb38bd5d68a12e71709
Tags:
obfuscate xtreme shell
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/f0c6530004391cf1d41fb844ddfc26736baf935a52525f029d42c3dd0f6ec315/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
Trojan.PowerShell.LNK.Generic.12;BZC.PZQ.Boxter.791
Link:
https://www.hybrid-analysis.com/sample/f0c6530004391cf1d41fb844ddfc26736baf935a52525f029d42c3dd0f6ec315
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1709876
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Uses dynamic DNS services
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1709876 Sample: awb_Dhl_Shipping_documents_... Startdate: 09/06/2025 Architecture: WINDOWS Score: 100 82 uzlehalo.duckdns.org 2->82 84 x1.i.lencr.org 2->84 86 5 other IPs or domains 2->86 94 Suricata IDS alerts for network traffic 2->94 96 Found malware configuration 2->96 98 Malicious sample detected (through community Yara rule) 2->98 102 18 other signatures 2->102 12 cmd.exe 1 2->12         started        15 cmd.exe 2->15         started        signatures3 100 Uses dynamic DNS services 82->100 process4 signatures5 124 Windows shortcut file (LNK) starts blacklisted processes 12->124 126 Suspicious powershell command line found 12->126 128 Bypasses PowerShell execution policy 12->128 130 Suspicious command line found 12->130 17 powershell.exe 17 19 12->17         started        22 conhost.exe 1 12->22         started        24 cmd.exe 15->24         started        26 conhost.exe 15->26         started        process6 dnsIp7 78 katyache.com 185.68.16.29, 443, 49688 UKRAINE-ASUA Ukraine 17->78 80 latencyx.pythonanywhere.com 35.173.69.207, 443, 49687 AMAZON-AESUS United States 17->80 72 C:\Users\user\AppData\Local\...\tmpB04E.bat, ASCII 17->72 dropped 104 Windows shortcut file (LNK) starts blacklisted processes 17->104 106 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->106 108 Suspicious powershell command line found 17->108 112 2 other signatures 17->112 28 cmd.exe 1 17->28         started        31 Acrobat.exe 69 17->31         started        110 Suspicious command line found 24->110 33 powershell.exe 24->33         started        36 conhost.exe 24->36         started        38 cmd.exe 24->38         started        40 timeout.exe 24->40         started        file8 signatures9 process10 file11 132 Windows shortcut file (LNK) starts blacklisted processes 28->132 42 cmd.exe 1 28->42         started        45 conhost.exe 28->45         started        47 AcroCEF.exe 98 31->47         started        70 \Device\ConDrv, ASCII 33->70 dropped 134 Suspicious powershell command line found 33->134 50 powershell.exe 33->50         started        signatures12 process13 dnsIp14 118 Windows shortcut file (LNK) starts blacklisted processes 42->118 120 Suspicious powershell command line found 42->120 122 Suspicious command line found 42->122 52 powershell.exe 1 19 42->52         started        57 conhost.exe 42->57         started        59 cmd.exe 1 42->59         started        92 e8652.dscx.akamaiedge.net 96.6.169.42, 49696, 80 AKAMAI-ASUS United States 47->92 61 AcroCEF.exe 47->61         started        signatures15 process16 dnsIp17 88 uzlehalo.duckdns.org 185.167.61.79, 3933, 49700, 49702 INETLTDTR Turkey 52->88 74 C:\Users\user\AppData\...\Protect2a3d628b.dll, PE32+ 52->74 dropped 76 C:\Users\user\...\StartupScript_8b2cde64.cmd, ASCII 52->76 dropped 114 Windows shortcut file (LNK) starts blacklisted processes 52->114 116 Suspicious powershell command line found 52->116 63 powershell.exe 52->63         started        66 powershell.exe 28 52->66         started        90 96.7.168.138, 443, 49699 INTERNEXABRASILOPERADORADETELECOMUNICACOESSABR United States 61->90 file18 signatures19 process20 signatures21 136 Loading BitLocker PowerShell Module 63->136 68 conhost.exe 63->68         started        process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0c6530004391cf1d41fb844ddfc26736baf935a52525f029d42c3dd0f6ec315/
Threat name:
Shortcut.Trojan.WinLnk
Create hunting rule
Status:
Malicious
First seen:
2025-06-09 15:24:15 UTC
File Type:
Binary
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ddfgaaeheopdva7xbcn37bgonv27e22kjjf6au5ilb52d3oymkq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
097dbcf18e9ebc074af64ac1a899693153ac937ba363a3f096e11a5a403105e3
XWorm
55167bd32c236720792dbcd9318114b75ac5784c7c8be5f82b1f515aefcbf281
XWorm
90c97445e04e3b466ef00025c6c8b7656205dd48a7456f05986dbbae983597c3
XWorm
cabe7c8088610b32f234f920fdfc9c0ba3c64301e1cb3bd443f400b9998ba50f
XWorm
e62e0323fa4dca5cd8a6806794eb53c40ac2db3aa891715abc3b4414518736a4
XWorm
error
XWorm
fe5117d476a540ae72ba713ae4781c2cb9ffa12503b34a527ad3ca7853de4929
XWorm
+ 699 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250609-ss3nnafq71/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
https://latencyx.pythonanywhere.com/download/811206321c2048b99b75ccfd8f02b2f1.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0c6530004391cf1d41fb844ddfc26736baf935a52525f029d42c3dd0f6ec315

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious
Rule name:SUSP_LNK_SuspiciousCommands
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects LNK file with suspicious content
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments