MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 168c048aa7ca05f48086bf8ed7fe8886a6e220e2b5d123b56db4932ab04aec5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 168c048aa7ca05f48086bf8ed7fe8886a6e220e2b5d123b56db4932ab04aec5b
SHA3-384 hash: 89baad864110a085daf71a23aa9bd1e9b1c354e3ea0cf794f743620caf6a1e2488ebea0b69a6e0c37a19f2de45a7532b
SHA1 hash: 5ef5e00eb14be05d5d89cd61dc94d4ac4d36f762
MD5 hash: 4afad6366d8fb4b51b9b644bd3bbb275
humanhash: mexico-bacon-lactose-crazy
File name:8191032732_1740264845.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:35'909 bytes
First seen:2025-04-03 06:56:01 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 768:h8Jq1EZyHe8+632JWihztwufWpMFzRcknrr4mTQzBNKbm8YKi8XzP6Q/i:hERSqhaufWEz+knHl82iT
Threatray 1'735 similar samples on MalwareBazaar
TLSH T19BF2BF170CDE9BD503A431C8543EC943C88CE7C952FEB7513256FEB9F8AB608596C2A9
Magika vba
Reporter abuse_ch
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/253/
Detection(s):
SecuriteInfo.com.BAT.Obfus-3.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Script.SNH-gen.14415.17792.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ee3393855e5ec5240cc000
Tags:
autorun xtreme shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive obfuscated powershell timeout
Link:
https://www.filescan.io/uploads/67ee31192d430c849e0431a0/reports/a8d970ea-f49b-45fb-a089-d2b4540e2635/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/168c048aa7ca05f48086bf8ed7fe8886a6e220e2b5d123b56db4932ab04aec5b
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1655338
Signature
Antivirus detection for URL or domain
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1655338 Sample: 8191032732_1740264845.vbs Startdate: 03/04/2025 Architecture: WINDOWS Score: 100 61 Antivirus detection for URL or domain 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Yara detected Powershell download and execute 2->65 67 6 other signatures 2->67 9 wscript.exe 2 2->9         started        13 cmd.exe 1 2->13         started        15 svchost.exe 1 1 2->15         started        process3 dnsIp4 53 C:\Users\user\AppData\Local\TempWVm.bat, ASCII 9->53 dropped 83 VBScript performs obfuscated calls to suspicious functions 9->83 85 Wscript starts Powershell (via cmd or directly) 9->85 87 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->87 89 Suspicious execution chain found 9->89 18 cmd.exe 1 9->18         started        21 cmd.exe 1 13->21         started        23 conhost.exe 13->23         started        59 127.0.0.1 unknown unknown 15->59 file5 signatures6 process7 signatures8 69 Wscript starts Powershell (via cmd or directly) 18->69 71 Suspicious command line found 18->71 25 cmd.exe 1 18->25         started        28 conhost.exe 18->28         started        30 powershell.exe 21->30         started        32 conhost.exe 21->32         started        34 cmd.exe 1 21->34         started        36 timeout.exe 1 21->36         started        process9 signatures10 77 Wscript starts Powershell (via cmd or directly) 25->77 79 Suspicious command line found 25->79 38 powershell.exe 14 39 25->38         started        43 conhost.exe 25->43         started        45 cmd.exe 1 25->45         started        81 Suspicious powershell command line found 30->81 47 powershell.exe 30->47         started        process11 dnsIp12 55 137.184.74.73, 5000 PANDGUS United States 38->55 57 87.121.79.103, 49683, 49695, 80 NETERRA-ASBG Bulgaria 38->57 51 C:\Users\user\...\StartupScript_cadd0da3.cmd, ASCII 38->51 dropped 73 Suspicious powershell command line found 38->73 75 Loading BitLocker PowerShell Module 38->75 49 powershell.exe 28 38->49         started        file13 signatures14 process15
Score:
94%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/168c048aa7ca05f48086bf8ed7fe8886a6e220e2b5d123b56db4932ab04aec5b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/168c048aa7ca05f48086bf8ed7fe8886a6e220e2b5d123b56db4932ab04aec5b/
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-02-23 02:35:16 UTC
File Type:
Text (VBS)
AV detection:
8 of 36 (22.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c2gajcvhzic7jaegx6hnp7uiq2toeihcwxishnlnwsjsvmck5rnq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
16a943871c4cb2706dafce5dc0b8c50d3a8c9e7ea27f1094fc442e174543fa98
XWorm
3e725d0efe588ac45c5bfa6aee1b6d5e75b65aa3a301e274c5e8e825ac390b7e
XWorm
3eea63494700199962ddc2383bcf335edbdd066b991594706243bf3beff34824
XWorm
53a2f686422f9f71b69d3a9699661c96dc1375d490ea188d5141bb1e8ae89029
XWorm
6eb67d7b4f3bc02d157329350e8032e7d5abb03be4db2823280983e5284ad68c
XWorm
80a21952b87d83eb419768268b334364ecab48dbb9cbe55b967ba9636e512cab
XWorm
89eabddee18d85a93a07e8022d1da5e2aa892f1bc8080f86fc771a984b0ba709
XWorm
95bd50b1c849b16159f239b176e9c48d97bc7d841441829ec974997a93cb4c1e
XWorm
cd15d1ae63b73ca3c161caca160860c0609876937ed73a0a6c22657534bfeeee
XWorm
error
XWorm
fbb6e25ede47737ad9d540192a46117ce42c6e24c7ce60d027e36ff49cba8213
XWorm
+ 1'725 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/250403-hqll9a1yhx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
137.184.74.73:5000
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/168c048aa7ca05f48086bf8ed7fe8886a6e220e2b5d123b56db4932ab04aec5b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Visual Basic Script (vbs) vbs 168c048aa7ca05f48086bf8ed7fe8886a6e220e2b5d123b56db4932ab04aec5b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/253/
  
URLhaus
https://urlhaus.abuse.ch/url/3490278/
  
Delivery method
Distributed via web download

Comments