MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2444ec2549a9aad73567a3d1e1b00ff4de8be3727489c0cf1f5397975aa0c8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	f2444ec2549a9aad73567a3d1e1b00ff4de8be3727489c0cf1f5397975aa0c8d
SHA3-384 hash:	0191ece5d8166f0399fb0b0da306174af569d0f176151630c415f3072de8e777361902c7f02071da6a32aa5bb8143001
SHA1 hash:	1206925fbbe87d567831865836f15cc87ba13480
MD5 hash:	3dd37d75509b9cc0d97d99d56e7a157a
humanhash:	seventeen-neptune-stairway-bravo
File name:	Request for Quotation.js
Download:	download sample
Signature	XWorm Create hunting rule
File size:	52'142 bytes
First seen:	2025-09-02 08:22:01 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	192:DPH4m0nvKyp7Qxx4lwPu7CLJyNQ6O72OUqlyfUJQfacH:DPYXvK4tlwPu7CLJq3OyOUqlyfUJgaI
TLSH	T17133F1AE19F2701BD6B86CA0F62EE7597E11878FAE1C071D1FF711A8894205370E7C96
Magika	javascript
Reporter	abuse_ch
Tags:	js MSI-STEGO xworm

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68b6a95aeb163e0ec1841e85

Tags:

obfuscate autorun xtreme virus

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm base64 evasive fingerprint obfuscated obfuscated powershell

Link:

https://www.filescan.io/uploads/68b6a99c39a6221faa7a10f8/reports/7baef1ec-83f9-475c-8a66-79e3f7a182b5/overview

Verdict:

Malicious

Labled as:

VBS/Agent.TKB trojan

Link:

https://www.hybrid-analysis.com/sample/f2444ec2549a9aad73567a3d1e1b00ff4de8be3727489c0cf1f5397975aa0c8d

Verdict:

Malicious

File Type:

First seen:

2025-09-02T03:15:00Z UTC

Last seen:

2025-09-02T03:15:00Z UTC

Hits:

~100

Detections:

PDM:Trojan.Win32.Generic Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic

Link:

https://opentip.kaspersky.com/f2444ec2549a9aad73567a3d1e1b00ff4de8be3727489c0cf1f5397975aa0c8d/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1769318

Signature

Creates processes via WMI

Found suspicious powershell code related to unpacking or dynamic code loading

Found Tor onion address

JavaScript source code contains functionality to generate code involving a shell, file or stream

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/f2444ec2549a9aad73567a3d1e1b00ff4de8be3727489c0cf1f5397975aa0c8d

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f2444ec2549a9aad73567a3d1e1b00ff4de8be3727489c0cf1f5397975aa0c8d/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/f2444ec2549a9aad73567a3d1e1b00ff4de8be3727489c0cf1f5397975aa0c8d

Threat name:

Script-JS.Downloader.AgentTesla

Status:

Malicious

First seen:

2025-09-02 06:20:41 UTC

File Type:

Binary

AV detection:

10 of 24 (41.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6jce5qsutknk242wpi6r4gya75g6rprxe5ejydhr6u4xs5nkbsgq._file

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm discovery execution persistence rat trojan

Link:

https://tria.ge/reports/250902-kaw46afm2w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Command and Scripting Interpreter: JavaScript

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Drops startup file

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Detect Xworm Payload

Process spawned unexpected child process

Xworm

Xworm family

Malware Config

C2 Extraction:

45.55.67.254:4580

Dropper Extraction:

https://archive.org/download/optimized_msi_20250821/optimized_MSI.png

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f2444ec2549a9aad73567a3d1e1b00ff4de8be3727489c0cf1f5397975aa0c8d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample