MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35ebf53977016f9547bc526dcfbb1a54564a49820b8aeab785f39284e3f5f764. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35ebf53977016f9547bc526dcfbb1a54564a49820b8aeab785f39284e3f5f764
SHA3-384 hash: 331e3b5a05b6a442be8341105191ce5c68799e73d325bb78cb8e96ce4e5d86a7feadae13862b9a0108a6b967284f73df
SHA1 hash: 87f9697bd7fd17f2065aba1826b72f70c0f3c249
MD5 hash: b7acae2dccc073a95b4efaf6b8b06ba6
humanhash: north-zebra-asparagus-uncle
File name:model.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:1'265 bytes
First seen:2025-12-11 23:29:10 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:9A1+L6nySe0R0evMGPwmLTGNivpcwQqc/DC8OQOMr7smU8qtOpc:eBnyS1R0e047yDX7smUnkc
Threatray 2'147 similar samples on MalwareBazaar
TLSH T18521A5EFB410D95C070B60C496D664ACD872D217AC138574A694CD5B4A0D7F575C858F
Magika vba
Reporter DaveLikesMalwre
Tags:Downloader vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
GB GB
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44371/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693b540ebde6a3e59710809b
Tags:
phishing shell agent sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive lolbin persistence powershell timeout wscript
Link:
https://www.filescan.io/uploads/693b540d1eac7b9b76a6b139/reports/69423d74-3320-41c0-bc54-3a4e5ab6aa2c/overview
Verdict:
Suspicious
Labled as:
TR/SNH
Link:
https://www.hybrid-analysis.com/sample/35ebf53977016f9547bc526dcfbb1a54564a49820b8aeab785f39284e3f5f764
Verdict:
Malicious
File Type:
vbs
First seen:
2025-12-09T07:42:00Z UTC
Last seen:
2025-12-12T07:03:00Z UTC
Hits:
~100
Detections:
Trojan.VBS.Agent.bhr Backdoor.Win32.Androm Backdoor.MSIL.XWorm.a Backdoor.Agent.TCP.C&C PDM:Trojan.Win32.Generic UDS:DangerousObject.Multi.Generic Trojan-Downloader.JS.SLoad.sb Trojan.Win32.Agent.sb Trojan.JS.SAgent.sb Backdoor.MSIL.XWorm.b Trojan-Dropper.Win32.Injector.sb Trojan-Downloader.JS.Cryptoload.sb Trojan.VBS.SAgent.sb HEUR:Trojan.BAT.Alien.gen Trojan-PSW.Win32.Stealer.sb Trojan.PowerShell.Invoker.i HEUR:Trojan-Downloader.VBS.SLoad.gen NetTool.PowerShellUA.HTTP.C&C NetTool.PowerShellGet.HTTP.C&C
Link:
https://opentip.kaspersky.com/35ebf53977016f9547bc526dcfbb1a54564a49820b8aeab785f39284e3f5f764/results?tab=lookup
Score:
91%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/35ebf53977016f9547bc526dcfbb1a54564a49820b8aeab785f39284e3f5f764
Verdict:
Malware
YARA:
1 match(es)
Tags:
DeObfuscated MSXML2.XMLHTTP Obfuscated Scripting.FileSystemObject T1059.005 VBScript WScript.Shell
Link:
https://app.malva.re/file/b7acae2dccc073a95b4efaf6b8b06ba6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35ebf53977016f9547bc526dcfbb1a54564a49820b8aeab785f39284e3f5f764/
Verdict:
Malicious
Threat:
Backdoor.MSIL.XWorm
Link:
https://tip.neiki.dev/file/35ebf53977016f9547bc526dcfbb1a54564a49820b8aeab785f39284e3f5f764
Threat name:
Script-WScript.Backdoor.XWorm
Create hunting rule
Status:
Malicious
First seen:
2025-12-11 23:30:23 UTC
File Type:
Text (VBS)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gxv7kolxafxzkr54kjw47oy2krleusmcbofovn4f6ojijy7v65sa._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
24d5c728af9ea56d4148f0d00e443db04621415c3730ab68b6ad8b8b3ec534bf
XWorm
3ed8d3644585e7a3c4e49ccb716e72950349d35144e912d7e9bc4b810abe62ac
XWorm
49de2c0ea488dd89b705c9ed19a78b5f27749a05ca652934df207a999007e1cb
XWorm
581ccdedd0f1e52d4827a25038c0eeb4f3526cbcb430df2cb3f8607995805991
XWorm
a42941472759b2fbbd3d8958263b1f83cf2619190b15926ff39bfdff12ab9964
XWorm
e284f6a66413a2f9084bb75b132da2a32384ce0f45dec45e95d219f58bcec86a
XWorm
error
XWorm
+ 2'137 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion discovery execution persistence rat trojan
Link:
https://tria.ge/reports/251211-3hb33ag12d/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
.NET Reactor proctector
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
84.200.17.174:6000
Dropper Extraction:
https://raw.githubusercontent.com/Its-Mr-Null/x0x0/refs/heads/main/mod.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35ebf53977016f9547bc526dcfbb1a54564a49820b8aeab785f39284e3f5f764

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Visual Basic Script (vbs) vbs 35ebf53977016f9547bc526dcfbb1a54564a49820b8aeab785f39284e3f5f764

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3731832/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/44371/

Comments