MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28411836a36d2e80c251de2fba0ac8c10258c9a4a8b69dab2977e26ef0d657e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	28411836a36d2e80c251de2fba0ac8c10258c9a4a8b69dab2977e26ef0d657e8
SHA3-384 hash:	3c7bfa2a9051fcef77da6f3b097aaf91fe1aeeb2df5c06f9b2890269d25205d91b33443859ee0611400d69b160efd786
SHA1 hash:	0351f96c3ca101cc799ee29a756fbb3125857b80
MD5 hash:	fa7d9b87122b51017e205a37bb862ef8
humanhash:	coffee-tennessee-carbon-football
File name:	as866sd7f623f72f76f67sdf676ds7f67df6fs7f6.vbs
Download:	download sample
Signature	XWorm Create hunting rule
File size:	1'285'318 bytes
First seen:	2026-02-04 21:09:08 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	384:9++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++F:YhEFF/ua1
Threatray	25 similar samples on MalwareBazaar
TLSH	T10755503318A56E8ADE8958BC502EFE4437FD5A6FB302EDFC82F8C39204995E51065C9D
Magika	txt
Reporter	James_inthe_box
Tags:	exe vbs xworm

Intelligence

File Origin

# of uploads :

# of downloads :

168

Origin country :

Vendor Threat Intelligence

No detections

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/51741/

Detection(s):

SecuriteInfo.com.VBS.Agent-101.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6983b57e9a60ec70d92ce173

Tags:

ransomware shell sage

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6983b57b930564ff3c8b12f1/reports/fe6cb7d7-b07b-4817-85c6-9c9a97002241/overview

Verdict:

Malicious

Labled as:

GT:VB.VBS.Rempi.5

Link:

https://www.hybrid-analysis.com/sample/28411836a36d2e80c251de2fba0ac8c10258c9a4a8b69dab2977e26ef0d657e8

Verdict:

Malicious

File Type:

vbs

First seen:

2026-02-04T09:34:00Z UTC

Last seen:

2026-02-05T09:36:00Z UTC

Hits:

~100

Detections:

Backdoor.Agent.TCP.C&C Trojan.Win32.Zapchast.bhgd Trojan.JS.SAgent.sb PDM:Trojan.Win32.Generic HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Win32.Agentb.gen HEUR:Trojan.Script.Generic Trojan.VBS.SAgent.sb Trojan.Agentb.TCP.C&C

Link:

https://opentip.kaspersky.com/28411836a36d2e80c251de2fba0ac8c10258c9a4a8b69dab2977e26ef0d657e8/results?tab=lookup

Score:

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/28411836a36d2e80c251de2fba0ac8c10258c9a4a8b69dab2977e26ef0d657e8

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/28411836a36d2e80c251de2fba0ac8c10258c9a4a8b69dab2977e26ef0d657e8/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/28411836a36d2e80c251de2fba0ac8c10258c9a4a8b69dab2977e26ef0d657e8

Threat name:

Script-WScript.Backdoor.Xworm

Status:

Malicious

First seen:

2026-02-04 21:09:19 UTC

File Type:

Binary

AV detection:

8 of 24 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fbarqnvdnuxibqsr3yx3ucwiyebfrsnevc3j3kzjo7rg54gwk7ua._file

Verdict:

malicious

Label(s):

xworm

XWorm

3e125892e37f2ce359cf84290c0faf71111848ee92daefb2491ee6b7a88abdeb

XWorm

736b5cfb4a0d3c224c9921ff9aa0cbcb9642473518d28db87385cf97b47e43bd

XWorm

76d754762ecb00824648d80d2d4147278d1dcc56326cc961ca97ea10e11d6d8c

XWorm

c07cc41e7acf586cc74eb81b717be75d7881264e755815da2eee07d9294bcdbb

XWorm

cf682acee9bde875f8895d47c14aed3cc5c9b4d75c0c014ae4c91b4c41e3d741

XWorm

error

XWorm

+ 15 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm collection discovery execution rat trojan

Link:

https://tria.ge/reports/260204-zzj88aes3d/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Drops startup file

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Detect Xworm Payload

Process spawned unexpected child process

Xworm

Xworm family

Malware Config

C2 Extraction:

103.83.87.178:1991

Dropper Extraction:

https://res.cloudinary.com/dy6a9cqng/image/upload/v1770138980/MSI_PRO_with_b64_i2nw7s.jpg

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/28411836a36d2e80c251de2fba0ac8c10258c9a4a8b69dab2977e26ef0d657e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ClamAV_Emotet_String_Aggregate Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/51741/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample