MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb39d3b564103e08a57ba475aa657a2cf1cedadbafecfa01948ddb7506de03a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



XWorm


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments

SHA256 hash: fb39d3b564103e08a57ba475aa657a2cf1cedadbafecfa01948ddb7506de03a0
SHA3-384 hash: 61a01369fffa740d0abb084c0ac13553a4425a730bb2e315abd0a244bee1f7919e6f3c4ac4299208e77eff4085796342
SHA1 hash: c2094e2ff960f9f07f4f1ce6f73b81fbee256ac1
MD5 hash: 1c7dcdc18904a8d4dd844d8a9c7a0673
humanhash: undress-music-massachusetts-social
File name:proof of payment.js
Download: download sample
Signature XWorm
File size:1'636'909 bytes
First seen:2026-07-15 07:23:48 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 768:ZddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddZ:z
Threatray 1 similar samples on MalwareBazaar
TLSH T12475A8A7C37D8736773A1736DF8F00009D6EB7282DAA12883D1677AA59831219176F37
Magika javascript
Reporter abuse_ch
Tags:js xworm

Intelligence


File Origin
# of uploads :
1
# of downloads :
133
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
96.5%
Tags:
autorun cryxos
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade repaired
Verdict:
Malicious
File Type:
js
First seen:
2026-07-14T20:11:00Z UTC
Last seen:
2026-07-16T05:47:00Z UTC
Hits:
~1000
Result
Threat name:
Detection:
malicious
Classification:
expl.troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates processes via WMI
Detected large data written to user environment variables, potentially indicating payload staging for fileless execution
Drops script or batch files to the startup folder
Early bird code injection technique detected
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Suspect Svchost Activity
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1942686 Sample: proof of payment.js Startdate: 15/07/2026 Architecture: WINDOWS Score: 100 65 pastebin.com 2->65 67 sunix-technology.com 2->67 69 2 other IPs or domains 2->69 79 Suricata IDS alerts for network traffic 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 87 12 other signatures 2->87 10 wscript.exe 1 2->10         started        12 wscript.exe 2 3 2->12         started        16 powershell.exe 15 2->16         started        signatures3 85 Connects to a pastebin service (likely for C&C) 65->85 process4 dnsIp5 19 powershell.exe 14 15 10->19         started        59 C:\...\proof of payment.js:Zone.Identifier, ASCII 12->59 dropped 61 C:\Users\user\AppData\...\proof of payment.js, Unicode 12->61 dropped 105 Wscript starts Powershell (via cmd or directly) 12->105 107 Drops script or batch files to the startup folder 12->107 109 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->109 115 3 other signatures 12->115 63 sunix-technology.com 192.232.216.135, 443, 49698, 49699 UNIFIEDLAYER-AS-1-UnifiedLayerUS United States 16->63 111 Writes to foreign memory regions 16->111 113 Injects a PE file into a foreign processes 16->113 22 conhost.exe 16->22         started        24 CasPol.exe 3 16->24         started        26 CasPol.exe 16->26         started        file6 signatures7 process8 signatures9 89 Writes to foreign memory regions 19->89 91 Injects a PE file into a foreign processes 19->91 28 CasPol.exe 19 9 19->28         started        32 conhost.exe 19->32         started        93 Installs a global keyboard hook 22->93 process10 dnsIp11 75 203.202.232.149, 2222, 49700 WHITELABELUS Turkey 28->75 77 file.garden 104.26.6.5 CLOUDFLARENET-CloudflareIncUS Canada 28->77 117 Early bird code injection technique detected 28->117 119 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->119 121 Tries to steal Mail credentials (via file / registry access) 28->121 125 6 other signatures 28->125 34 svchost.exe 28->34         started        38 CasPol.exe 28->38         started        40 csc.exe 28->40         started        43 6 other processes 28->43 123 Installs a global keyboard hook 32->123 signatures12 process13 dnsIp14 71 157.254.167.209 AS17378-TierPointLLCUS Singapore 34->71 73 pastebin.com 104.20.29.150 CLOUDFLARENET-CloudflareIncUS Canada 34->73 95 System process connects to network (likely due to code injection or exploit) 34->95 97 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->97 99 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 34->99 103 4 other signatures 34->103 101 Antivirus detection for dropped file 38->101 57 C:\Users\user\AppData\Local\Temp\CasPol.exe, PE32 40->57 dropped 45 conhost.exe 40->45         started        47 cvtres.exe 40->47         started        49 conhost.exe 43->49         started        51 conhost.exe 43->51         started        53 conhost.exe 43->53         started        55 5 other processes 43->55 file15 signatures16 process17
Gathering data
Threat name:
Script-JS.Trojan.Cryxos
Status:
Malicious
First seen:
2026-07-14 23:24:22 UTC
File Type:
Text (JavaScript)
AV detection:
6 of 36 (16.67%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
Similar samples:
Result
Malware family:
Score:
  10/10
Tags:
family:xworm discovery execution rat trojan
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Drops startup file
Executes dropped EXE
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Family: Xworm
Process spawned unexpected child process
Malware Config
C2 Extraction:
203.202.232.149:2222
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments