MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbd84c13f92b04ac2fca4748fdfb04468d6fb22f361a0fd1a7551ce9762597ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbd84c13f92b04ac2fca4748fdfb04468d6fb22f361a0fd1a7551ce9762597ef
SHA3-384 hash: bc9ce5ad489e2cfc9f4473f045f1bcf41112e6cf7bda98f17682abc682a30580c9671da5e674518c17ff42c23d03398c
SHA1 hash: 16c959b5a639eeb3494aca27a5864c2bd0cc1106
MD5 hash: f2861264513f972d066b9b16d875861f
humanhash: apart-pennsylvania-mississippi-connecticut
File name:fbd84c13f92b04ac2fca4748fdfb04468d6fb22f361a0fd1a7551ce9762597ef.ps1
Download: download sample
Signature XWorm
Create hunting rule
File size:68'131 bytes
First seen:2026-03-19 15:37:11 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 1536:iWK5Mqlue2FVIanQwEI9Wuxn+sliaZLu0eFT4Tj49Yuy:5DqQe2FVjQwL9lTliasdAoYuy
Threatray 2'915 similar samples on MalwareBazaar
TLSH T1B0630125239E58F930F1D824B99A9B1CEA3850376C557C59B3E1E3B06FD314631B0E6B
Magika powershell
Reporter JAMESWT_WT
Tags:69-61-36-229 ps1 xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
IT IT
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69bc186688c80c01586c10e2
Tags:
emotet virus micro sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
base64 encrypted obfuscated powershell
Link:
https://www.filescan.io/uploads/69bc1863ab95f82184f6df30/reports/d3e84542-ff64-4073-a46a-f5348aa4efde/overview
Verdict:
Suspicious
Labled as:
PowerShell/TrojanDropper.Agent
Link:
https://www.hybrid-analysis.com/sample/fbd84c13f92b04ac2fca4748fdfb04468d6fb22f361a0fd1a7551ce9762597ef
Verdict:
Malicious
File Type:
ps1
Detections:
PDM:Trojan.Win32.Generic Backdoor.MSIL.Agent.sb Backdoor.Agent.TCP.C&C Trojan.Win64.Agentb.sb Trojan.Win32.Shellcode.sb Trojan.Win32.HTA.a UDS:DangerousObject.Multi.Generic
Link:
https://opentip.kaspersky.com/fbd84c13f92b04ac2fca4748fdfb04468d6fb22f361a0fd1a7551ce9762597ef/results?tab=lookup
Score:
62%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/fbd84c13f92b04ac2fca4748fdfb04468d6fb22f361a0fd1a7551ce9762597ef
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fbd84c13f92b04ac2fca4748fdfb04468d6fb22f361a0fd1a7551ce9762597ef/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/fbd84c13f92b04ac2fca4748fdfb04468d6fb22f361a0fd1a7551ce9762597ef
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7pmeye7zfmckyl6ki5ep36yei2gw7mrpgyna7unhkuoos5rfs7xq._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
xworm
Create hunting rule
Similar samples:
292f0dc47472057b493e1858eda6c1843531ad0f9ddcb1f7959b3677d2e0b0f3
XWorm
2fd18d94e14f0d6f387f32eee284d5896fe345f690b32cd754f0439d4f16aaed
XWorm
4bce5c43d01102b83bf0cb0b85d09ea8a758262b98b04aeccff957aad024f7bd
XWorm
78e42dc2fe1d89f120a7c41dc184bf8e5fe6fba98b21eeb08fe4e1be8143b3e2
XWorm
7e1c737b0425f74274a9a7b03335c72f8b0e82f7713e1713f98db9a0ad2c34cf
XWorm
89e0070aef9064b5cf70eeac08cbe05466c98e72be277000e4dde2b3a7859406
XWorm
bfe654871546beefc5b379d95a582716abbf505ecb1867f185b60dc257a0d4b4
XWorm
error
XWorm
f254174cd03da1a24f879e5d6f669e6b0109449e705f25b6d54611fbc249de84
XWorm
f499e385f4a4249fadbe00260417c51b26b4cbb32abdf933b6e772d6f22a6cbb
XWorm
fac0ea914e72f08856d3c2c68a4d3f447269d002d8488f8a60aef9d7e989f0c4
XWorm
+ 2'905 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:xworm execution loader rat trojan
Link:
https://tria.ge/reports/260319-s25vdaez6r/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Detects DonutLoader
DonutLoader
Donutloader family
Xworm
Xworm family
Malware Config
C2 Extraction:
69.61.36.229:2080
mTattmrvqnSB2jtWg1xeUQ==:23
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fbd84c13f92b04ac2fca4748fdfb04468d6fb22f361a0fd1a7551ce9762597ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments