MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f10d6cbaf195a7b0c9f708b7f0a225e2de29beb769bdf8d1652b682b1c4679f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 9


Intelligence 9 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f10d6cbaf195a7b0c9f708b7f0a225e2de29beb769bdf8d1652b682b1c4679f
SHA3-384 hash: 5a2c44f0215051847a343fb66630a8042c9251de30477054d69df9bb50fce9cb4cc5e19d5c1b89e5f137662d7ab60eae
SHA1 hash: 70bdb6ff2f40190a8bd9a023cb18c0177fb873cf
MD5 hash: b76c3c118bfa1f1976b7835a010b7677
humanhash: muppet-idaho-ack-yellow
File name:verify.ps1
Download: download sample
Signature XWorm
Create hunting rule
File size:572 bytes
First seen:2025-01-22 16:23:17 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12:G1SQHwMu1eVM1t2IGVsUYYJy7GAWz/Iy4ueRGFVmgEWTJ0zmezonyVMn3E:G0IVMs1p0iJz/HzkGFVmgEeJjdy+0
Threatray 2'183 similar samples on MalwareBazaar
TLSH T10AF0EB44CB279313C231938DB3539572D90EC08C1106AC7DBA8F3A4E3AE92408DF5ADE
Magika powershell
Reporter abuse_ch
Tags:booking booking.com ClickFix FakeCaptcha ps1 xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67911e0ae708b6e7a3afb0ad
Tags:
autorun dropper shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
persistence
Link:
https://www.filescan.io/uploads/67911ba58a66884824353e3d/reports/a149c26b-e757-4537-bb85-5ab70d8471d2/overview
Verdict:
Malicious
Labled as:
PowerShell/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/0f10d6cbaf195a7b0c9f708b7f0a225e2de29beb769bdf8d1652b682b1c4679f
Result
Verdict:
UNKNOWN
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1596901
Signature
.NET source code references suspicious native API functions
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Found malicious URL file
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Drops script at startup location
Sigma detected: Powershell download and load assembly
Sigma detected: Powerup Write Hijack DLL
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1596901 Sample: verify.ps1 Startdate: 22/01/2025 Architecture: WINDOWS Score: 100 52 Suricata IDS alerts for network traffic 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 15 other signatures 2->58 9 powershell.exe 14 21 2->9         started        process3 dnsIp4 48 147.45.44.131, 49731, 49732, 80 FREE-NET-ASFREEnetEU Russian Federation 9->48 42 C:\Windows\Temp\APack.bat, Unicode 9->42 dropped 44 C:\Users\user\AppData\Roaming\...\App.url, MS 9->44 dropped 66 Suspicious execution chain found 9->66 68 Compiles code for process injection (via .Net compiler) 9->68 14 cmd.exe 1 9->14         started        17 conhost.exe 9->17         started        file5 signatures6 process7 signatures8 70 Suspicious powershell command line found 14->70 19 powershell.exe 22 14->19         started        23 conhost.exe 14->23         started        process9 file10 38 C:\Users\user\AppData\...\t32hl0hs.cmdline, Unicode 19->38 dropped 40 C:\Users\user\AppData\Local\...\t32hl0hs.0.cs, Unicode 19->40 dropped 60 Writes to foreign memory regions 19->60 62 Injects a PE file into a foreign processes 19->62 25 RegAsm.exe 19->25         started        28 RegAsm.exe 2 19->28         started        31 csc.exe 3 19->31         started        signatures11 process12 dnsIp13 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->64 50 92.255.85.66, 49733, 7000 SOVTEL-ASRU Russian Federation 28->50 34 WerFault.exe 22 16 28->34         started        46 C:\Users\user\AppData\Local\...\t32hl0hs.dll, PE32 31->46 dropped 36 cvtres.exe 1 31->36         started        file14 signatures15 process16
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/0f10d6cbaf195a7b0c9f708b7f0a225e2de29beb769bdf8d1652b682b1c4679f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f10d6cbaf195a7b0c9f708b7f0a225e2de29beb769bdf8d1652b682b1c4679f/
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-01-22 00:09:11 UTC
File Type:
Text
AV detection:
5 of 24 (20.83%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b4inns5pdfnhwde7ocfx6crclyw6fg7lo2n57diwkk3ifmoem6pq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
2a8290c18d10fa8a7e99575855b9fb8e734ea92b1aa7dce9840282c2657ba08c
XWorm
3a5134cc11c7c47b7268e7bf6bf1556c5ff5044af54b7931cae652bfd8d83717
XWorm
3d6e7e00580e1b17849dcd6c80cbe10b09b2e677deda5016c3baba36517dd462
XWorm
b24e8948d314d492f4e1ae9fd78e8fcb41ee5c9adfd6e9ab7927fca7c333003c
XWorm
c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d76f37afa87bcbf02ab3
XWorm
error
XWorm
f3831d6ca373f539fec77e975ae4fc26451bfb3113513813819ea1111f31a81a
XWorm
+ 2'173 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/250122-twcr3svmby/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
XWorm
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f10d6cbaf195a7b0c9f708b7f0a225e2de29beb769bdf8d1652b682b1c4679f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:Methodology_Suspicious_Shortcut_Local_URL
Create hunting rule
Author:@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
Description:Detects local script usage for .URL persistence
Reference:https://twitter.com/cglyer/status/1176184798248919044
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:win_xworm_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xworm.
Rule name:xworm
Create hunting rule
Author:jeFF0Falltrades
Rule name:xworm_kingrat
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

XWorm

PowerShell (PS) ps1 0f10d6cbaf195a7b0c9f708b7f0a225e2de29beb769bdf8d1652b682b1c4679f

(this sample)

XWorm

Executable exe d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a

  
Dropping
SHA256 d6ea0caa05d1ecd3cdd04f2f2d1279528d05ee8f98e361f21fc503337553cc6a
  
Dropping
MD5 c9c23e8ec35c88ce322287cc2e7e3a6d

Comments