MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8393ec6bb72178d727ee6fa8d73fff62ba61268297a879f6df108c688b2fba8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



XWorm


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments

SHA256 hash: f8393ec6bb72178d727ee6fa8d73fff62ba61268297a879f6df108c688b2fba8
SHA3-384 hash: e722e7ba9263e029f04442046981787b58fc60e3de9e385bf5386e206bdbb1c0d24a461748135e7361aabc3feb62a319
SHA1 hash: 93195efe73fa426391e7473bf7de7fb10382bf0a
MD5 hash: 2b076d741cb169cfcbe27857eddc6ce6
humanhash: jig-uniform-romeo-eight
File name:SOLICITUD DE COTIZACIÓN FORMAL.XLS.hta
Download: download sample
Signature XWorm
File size:1'647'128 bytes
First seen:2026-07-15 12:03:38 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/plain
ssdeep 768:/OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOk:1b2AU9
TLSH T1C7757C2963C96B0FD2971E314A032433BD75CC998E2DD5167B72B89CECC597B129183B
Magika javascript
Reporter James_inthe_box
Tags:exe hta xworm

Intelligence


File Origin
# of uploads :
1
# of downloads :
37
Origin country :
US US
Vendor Threat Intelligence
No detections
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Payload URLs
URL
File name
https://misty-cherry-cea3.uploadsimg.workers.dev/Wyflg
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
File Type:
hta
First seen:
2026-07-14T15:31:00Z UTC
Last seen:
2026-07-16T07:53:00Z UTC
Hits:
~1000
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
Html
Threat name:
Script-JS.Trojan.Generic
Status:
Suspicious
First seen:
2026-07-15 12:03:46 UTC
File Type:
Binary
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Badlisted process makes network request
Detect Xworm Payload
Family: Xworm
Process spawned unexpected child process
Malware Config
C2 Extraction:
64.89.162.178:7007
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments