MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa998dd5153a01397534f381ab5655a7afeb94e4b236e0dc4ffbed6891011949. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa998dd5153a01397534f381ab5655a7afeb94e4b236e0dc4ffbed6891011949
SHA3-384 hash: 54ba2b2d7ebb78f7bee63b967b366ee2ea7700039086ec186838470e6a52f7f0f2bee41d2c9eac32ba5802da40ff1c27
SHA1 hash: ed503f7fe4dd7e29f086d2264da4d6d6aad83e50
MD5 hash: 3ae21c0f8e11cc9879b521501b228df5
humanhash: connecticut-eighteen-mirror-washington
File name:awb_bl_invoice_delivery.lnk
Download: download sample
Signature XWorm
Create hunting rule
File size:3'753 bytes
First seen:2025-04-17 11:28:17 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 96:8mVJlId1ZCVg1OwJGQPCqX/UBMMbuLh9Uv:8mVJlId1ZCWOwJTX/obIC
Threatray 1'620 similar samples on MalwareBazaar
TLSH T1A0718C502DEF00CEF3B35B711BEDFABB1577F4A1685E65B522810A404B71E908861FBA
Magika lnk
Reporter abuse_ch
Tags:lnk xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.26599.PshHeur.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Other.Malware-gen.28210.13388.UNOFFICIAL
Create hunting rule

MiscreantPunch.INFO.LNK.CMDPSHELL.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADaypshell.20231121.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6800e9a9280f5f89a0d06ab2
Tags:
obfuscate xtreme shell
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/fa998dd5153a01397534f381ab5655a7afeb94e4b236e0dc4ffbed6891011949/results/dashboard
Payload URLs
URL
File name
http://87.121.79.81:5000/download/40dbc55327684aa7a79d2751201e8e12.txt
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd cscript evasive lolbin masquerade powershell
Link:
https://www.filescan.io/uploads/6800e5de90767142c3d8eb91/reports/bea557cf-7939-4ad6-bf82-de93cde398e3/overview
Verdict:
Malicious
Labled as:
LNK/Autorun.Generic
Link:
https://www.hybrid-analysis.com/sample/fa998dd5153a01397534f381ab5655a7afeb94e4b236e0dc4ffbed6891011949
Result
Threat name:
Batch Injector, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1667425
Signature
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Drops script or batch files to the startup folder
Encrypted powershell cmdline option found
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) starts blacklisted processes
Wscript starts Powershell (via cmd or directly)
Yara detected Batch Injector
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1667425 Sample: awb_bl_invoice_delivery.lnk Startdate: 17/04/2025 Architecture: WINDOWS Score: 100 108 maxbusinessworld.duckdns.org 2->108 110 pki-goog.l.google.com 2->110 112 c.pki.goog 2->112 126 Suricata IDS alerts for network traffic 2->126 128 Found malware configuration 2->128 130 Malicious sample detected (through community Yara rule) 2->130 134 24 other signatures 2->134 13 cmd.exe 1 2->13         started        16 cmd.exe 1 2->16         started        18 cmd.exe 1 2->18         started        20 14 other processes 2->20 signatures3 132 Uses dynamic DNS services 108->132 process4 signatures5 158 Windows shortcut file (LNK) starts blacklisted processes 13->158 160 Suspicious powershell command line found 13->160 162 Wscript starts Powershell (via cmd or directly) 13->162 164 2 other signatures 13->164 22 powershell.exe 17 19 13->22         started        27 conhost.exe 1 13->27         started        29 cmd.exe 1 16->29         started        31 conhost.exe 16->31         started        33 cmd.exe 1 18->33         started        35 conhost.exe 18->35         started        37 cmd.exe 1 20->37         started        39 cmd.exe 20->39         started        41 26 other processes 20->41 process6 dnsIp7 114 87.121.79.81, 49692, 5000 NETERRA-ASBG Bulgaria 22->114 84 C:\Users\user\AppData\Local\Temp\tmp5533.js, ASCII 22->84 dropped 136 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->136 138 Drops script or batch files to the startup folder 22->138 140 Found suspicious powershell code related to unpacking or dynamic code loading 22->140 43 wscript.exe 1 2 22->43         started        142 Windows shortcut file (LNK) starts blacklisted processes 29->142 144 Suspicious powershell command line found 29->144 146 Wscript starts Powershell (via cmd or directly) 29->146 47 powershell.exe 29->47         started        49 conhost.exe 29->49         started        51 powershell.exe 33->51         started        53 conhost.exe 33->53         started        55 powershell.exe 37->55         started        57 conhost.exe 37->57         started        59 2 other processes 39->59 61 24 other processes 41->61 file8 signatures9 process10 file11 90 C:\Users\user\AppData\...\czrdnfigmtmsxic.bat, ASCII 43->90 dropped 150 Windows shortcut file (LNK) starts blacklisted processes 43->150 152 Wscript starts Powershell (via cmd or directly) 43->152 154 Windows Scripting host queries suspicious COM object (likely to drop second stage) 43->154 156 Suspicious execution chain found 43->156 63 cmd.exe 1 43->63         started        92 C:\Users\user\AppData\Roaming\...\f74a.bat, ASCII 47->92 dropped 94 C:\Users\user\AppData\Roaming\...\d2b7.bat, ASCII 51->94 dropped 96 C:\Users\user\AppData\Roaming\...\d778.bat, ASCII 55->96 dropped 98 C:\Users\user\AppData\Roaming\...\590f.bat, ASCII 59->98 dropped 100 C:\Users\user\AppData\Roaming\...\f07d.bat, ASCII 61->100 dropped 102 C:\Users\user\AppData\Roaming\...\f041.bat, ASCII 61->102 dropped 104 C:\Users\user\AppData\Roaming\...\afa6.bat, ASCII 61->104 dropped 106 9 other malicious files 61->106 dropped signatures12 process13 signatures14 166 Windows shortcut file (LNK) starts blacklisted processes 63->166 66 cmd.exe 2 63->66         started        69 conhost.exe 63->69         started        process15 signatures16 120 Windows shortcut file (LNK) starts blacklisted processes 66->120 122 Suspicious powershell command line found 66->122 124 Wscript starts Powershell (via cmd or directly) 66->124 71 powershell.exe 1 18 66->71         started        76 conhost.exe 66->76         started        process17 dnsIp18 116 maxbusinessworld.duckdns.org 172.111.137.164, 3911, 49693 SOFTLAYERUS United States 71->116 118 172.111.137.167, 3911, 49704, 49705 SOFTLAYERUS United States 71->118 86 C:\Users\user\AppData\Roaming\...\a9a9.bat, ASCII 71->86 dropped 88 C:\Users\user\AppData\...\tmpAB09.tmp.bat, DOS 71->88 dropped 148 Windows shortcut file (LNK) starts blacklisted processes 71->148 78 cmd.exe 71->78         started        file19 signatures20 process21 process22 80 conhost.exe 78->80         started        82 timeout.exe 78->82         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa998dd5153a01397534f381ab5655a7afeb94e4b236e0dc4ffbed6891011949/
Threat name:
Shortcut.Backdoor.XWorm
Create hunting rule
Status:
Malicious
First seen:
2025-04-17 07:14:09 UTC
File Type:
Binary
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7kmy3vivhiats5ju6oa2wvsvu6x6xfhewi3obxcp7pwwreibdfeq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
2aa37e753ce1273f6ee4968bec7e2381b79a85ffbd1ee3da1fe9b4c1ea3ec4cd
XWorm
53a2f686422f9f71b69d3a9699661c96dc1375d490ea188d5141bb1e8ae89029
XWorm
56f304f2e560f09da015a9f0744e3a0825f420e092ebf7d4605b81b56054bba5
XWorm
80a21952b87d83eb419768268b334364ecab48dbb9cbe55b967ba9636e512cab
XWorm
95bd50b1c849b16159f239b176e9c48d97bc7d841441829ec974997a93cb4c1e
XWorm
cb08ed88dd97692627d9bed9a5201369574a1ef581aa52cadd674b26461b1c9a
XWorm
d0ef84c36715bc834f68415f2b16ca2e8088141a83231f27c4a7d6285d4b6d1a
XWorm
error
XWorm
fbb6e25ede47737ad9d540192a46117ce42c6e24c7ce60d027e36ff49cba8213
XWorm
+ 1'610 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/250417-nlabbaxmw9/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
maxbusinessworld.duckdns.org:3911
Dropper Extraction:
http://87.121.79.81:5000/download/40dbc55327684aa7a79d2751201e8e12.txt
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fa998dd5153a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa998dd5153a01397534f381ab5655a7afeb94e4b236e0dc4ffbed6891011949

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments