MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22620c9c6d0c2b392ee34bd4e7905b6f161bfe25ed3dc756302aeb091a994b0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22620c9c6d0c2b392ee34bd4e7905b6f161bfe25ed3dc756302aeb091a994b0e
SHA3-384 hash: 89cdb83e927c3e1e9c3ab826803ed1877822bbac25804e1e7cbf0101000d14394095e52c55e837b7355ac367b7373e5a
SHA1 hash: 6ae236fa1ae78011d3dd8dcb3afc3b6a1eb467f9
MD5 hash: 35f1dcdad211c0ef4409bd554cfd1425
humanhash: oklahoma-bakerloo-nebraska-emma
File name:Purchase Order.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:2'151'105 bytes
First seen:2026-06-18 20:27:14 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/csv
ssdeep 192:mO+3jvxoP3WtDmuoVInT3f1BFuyWx2Ix5uPH3rfgKDKcUBpgVOrclB+XfBJzTeiN:3TVkSb
Threatray 191 similar samples on MalwareBazaar
TLSH T1C6A51206761237B2AFA0EFCCDAC55958FBD27A022454288AE441F6D707CDC3BD68BD52
Magika txt
Reporter James_inthe_box
Tags:exe vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
209
Origin country :
US US
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71200/
Detection(s):
SecuriteInfo.com.VBS.Starter.539.30671.22108.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3454b21548daf709f7b4a2
Tags:
ransomware autorun shell sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated
Link:
https://www.filescan.io/uploads/6a3454af9799578a6c409fa4/reports/def1da30-048b-4af3-bf00-1265976053c1/overview
Verdict:
Malicious
Labled as:
Downloader
Link:
https://www.hybrid-analysis.com/sample/22620c9c6d0c2b392ee34bd4e7905b6f161bfe25ed3dc756302aeb091a994b0e
Verdict:
Malicious
File Type:
text.utf8
First seen:
2026-06-18T06:41:00Z UTC
Last seen:
2026-06-20T18:16:00Z UTC
Hits:
~1000
Detections:
Trojan.VBS.SAgent.sb Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan-Downloader.PowerShell.Agent.gen
Link:
https://opentip.kaspersky.com/22620c9c6d0c2b392ee34bd4e7905b6f161bfe25ed3dc756302aeb091a994b0e/results?tab=lookup
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22620c9c6d0c2b392ee34bd4e7905b6f161bfe25ed3dc756302aeb091a994b0e/
Verdict:
Malicious
Threat:
Trojan.VBS.SAgent
Link:
https://tip.neiki.dev/file/22620c9c6d0c2b392ee34bd4e7905b6f161bfe25ed3dc756302aeb091a994b0e
Threat name:
Script-WScript.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2026-06-18 12:57:23 UTC
File Type:
Binary
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ejrazhdnbqvtslxdjpkopec3n4lbx7rf5u64ovrqflvqsguzjmha._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
210170766b751c666c3d6a9588a7c990a69e8c634a878efc224ff586d6424e94
XWorm
265d12ace3e4a41c759987720c123a55bd6ec59b87aefe921ddaafa6e89e88a4
XWorm
292568fdf69cebf5ed05e083517f210a0d4d9f94970990968714343a59f7317a
XWorm
2f73a285521422b982102ab6755a503efeb36a1719da5b8f3153e094220f5300
XWorm
314fd50ab6eeb4ce78d0d72719bdeddf8cceebdde6f8c84484ba05486d257b4f
XWorm
56f14ce40e19fb067daf65a973dca1ca3c319834ced645613d72535db37882eb
XWorm
968416f33911ac6dbdf52a31009d85d954bd3ad3d13aa73bf52d4731c2efa768
XWorm
c365fb4056768fff09d504a81621c669371ba623ec3098c71ed34e257f9bf7e5
XWorm
error
XWorm
+ 181 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm adware discovery execution persistence ransomware rat spyware trojan
Link:
https://tria.ge/reports/260618-y8mv2abw2r/
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Enumerates connected drives
Checks computer location settings
Drops startup file
Executes dropped EXE
Badlisted process makes network request
Boot or Logon Autostart Execution: Active Setup
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Family: Xworm
Process spawned unexpected child process
Malware Config
C2 Extraction:
103.83.87.182:2222
Dropper Extraction:
https://icy-lab-0431.guilherme-telecomunicacoes2024.workers.dev/WaBwl
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22620c9c6d0c2b392ee34bd4e7905b6f161bfe25ed3dc756302aeb091a994b0e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/71200/

Comments