MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3716c515929ba48afbc09a0f97ea788c69c47f6037a2b203f1c165faff10f78c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3716c515929ba48afbc09a0f97ea788c69c47f6037a2b203f1c165faff10f78c
SHA3-384 hash: 3a8081ced749e266e8d9add6d9a8e19947714247f96eaddcab00e2919d22ed976dcbc488ffc40ed6918121ae829ea359
SHA1 hash: fe1835d92241f2768cf7e34eab77d1a79c6e1ed0
MD5 hash: 0855a28c1c0ab5a9e5bea78cc99e052e
humanhash: summer-coffee-music-eight
File name:Bl_copy_awb_parkinglist_commerical_Inv_documents_20_01_2026_0000000000000000000000.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:17'423 bytes
First seen:2026-01-21 07:03:07 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:KsvEW3/90Q9thX46mSqkvh/jkcGlvex7SW0KeYRSTHNKc6IPlIAkBqN:KsF3/90u140Yvex7SW0KeYRSTHNKfIP9
Threatray 677 similar samples on MalwareBazaar
TLSH T1BA72E8268B159FF00AAE7251788B6D1695520B00A7343A1E7D8FE9DC3B3B271CFD14E9
Magika vba
Reporter lowmal3
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
56
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49613/
Detection(s):
TwinWave.EvilVBA.LostAtSeaFuncInDirection.20240306.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69707a3fbcad3327ec071f4e
Tags:
xtreme shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 obfuscated obfuscated powershell
Link:
https://www.filescan.io/uploads/69707a3c607e8377faddc9ab/reports/64a3990c-e347-4f74-baed-3e81acbc62cd/overview
Verdict:
Malicious
Labled as:
VBS/Agent.TGD trojan
Link:
https://www.hybrid-analysis.com/sample/3716c515929ba48afbc09a0f97ea788c69c47f6037a2b203f1c165faff10f78c
Verdict:
Malicious
File Type:
vbs
First seen:
2026-01-20T19:03:00Z UTC
Last seen:
2026-01-23T03:33:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan.Script.Generic HEUR:Trojan.Multi.Stego.gen PDM:Trojan.Win32.Generic Trojan-Downloader.PowerShell.NanoShield.sb Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic
Link:
https://opentip.kaspersky.com/3716c515929ba48afbc09a0f97ea788c69c47f6037a2b203f1c165faff10f78c/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1854564
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to log keystrokes (.Net Source)
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1854564 Sample: Bl_copy_awb_parkinglist_com... Startdate: 21/01/2026 Architecture: WINDOWS Score: 100 54 xxblessing2026now.duckdns.org 2->54 56 habibjee.store 2->56 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 70 17 other signatures 2->70 9 wscript.exe 1 2->9         started        12 svchost.exe 2->12         started        14 svchost.exe 1 2->14         started        16 5 other processes 2->16 signatures3 68 Uses dynamic DNS services 54->68 process4 signatures5 80 VBScript performs obfuscated calls to suspicious functions 9->80 82 Suspicious powershell command line found 9->82 84 Wscript starts Powershell (via cmd or directly) 9->84 88 2 other signatures 9->88 18 powershell.exe 14 24 9->18         started        86 Changes security center settings (notifications, updates, antivirus, firewall) 12->86 23 MpCmdRun.exe 1 12->23         started        25 conhost.exe 14->25         started        27 WerFault.exe 2 16->27         started        process6 dnsIp7 58 habibjee.store 104.21.73.252, 443, 49721 CLOUDFLARENETUS United States 18->58 48 C:\Users\user\AppData\...\fk1v5qal.cmdline, Unicode 18->48 dropped 72 Writes to foreign memory regions 18->72 74 Modifies the context of a thread in another process (thread injection) 18->74 76 Suspicious execution chain found 18->76 78 Injects a PE file into a foreign processes 18->78 29 RegAsm.exe 1 4 18->29         started        34 csc.exe 3 18->34         started        36 svchost.exe 2 18->36         started        38 conhost.exe 18->38         started        40 conhost.exe 23->40         started        file8 signatures9 process10 dnsIp11 60 xxblessing2026now.duckdns.org 185.167.61.11, 3025, 49724 INETLTDTR Turkey 29->60 50 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 29->50 dropped 90 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->90 92 Drops PE files with benign system names 29->92 42 WerFault.exe 21 29->42         started        52 C:\Users\user\AppData\Local\...\fk1v5qal.dll, PE32 34->52 dropped 44 cvtres.exe 1 34->44         started        46 conhost.exe 36->46         started        file12 signatures13 process14
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/3716c515929ba48afbc09a0f97ea788c69c47f6037a2b203f1c165faff10f78c
Verdict:
Malware
YARA:
1 match(es)
Tags:
VBScript WScript.Network
Link:
https://app.malva.re/file/0855a28c1c0ab5a9e5bea78cc99e052e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3716c515929ba48afbc09a0f97ea788c69c47f6037a2b203f1c165faff10f78c/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/3716c515929ba48afbc09a0f97ea788c69c47f6037a2b203f1c165faff10f78c
Threat name:
Script-WScript.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2026-01-21 03:12:40 UTC
File Type:
Text (VBS)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g4lmkfmstosiv66atihzp2tyrru4i73ag6rlea7ryfs7v7yq66ga._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
03a4caccc4cfc4dc5e3b37cdcd2f9bf61779a8ab79c38be7269d88bbdea1b212
XWorm
15a9f29aaba59940714e92ef77712542ddb68ceb2f82f62ee85e30956ec23929
XWorm
1f0c9c08260580d32bf3f2ba499d5812b93d792a99b6f0b6d4767510219cda3b
XWorm
5368ee78ec544ea4b93c7e7cf85ca44329b2f3931d8f93194be18866052c5731
XWorm
6385ba95a2f179fac688bc5524caebdd20de2fdd3ddbbc531351f8db1965660c
XWorm
68c553786094522830920122539df1d3a8f04caf880d84415728ffac780a4c84
XWorm
ada3af84801eb7e4a28b6e1371b963e820fafc35bd6b7bd15a9a08180cbc17c5
XWorm
bc6edff1b1148a9ad6a3aa8db0371d55ac57c8307ed841fc8e8030bdf4bed7ab
XWorm
ca0a9efe77e9b198d4f40f91aa9cdd9d9ff085f7e1f5ed0453917108917d8819
XWorm
error
XWorm
+ 667 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion execution persistence rat trojan
Link:
https://tria.ge/reports/260121-hvjnfsbv8d/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Badlisted process makes network request
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
xxblessing2026now.duckdns.org:3025
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3716c515929ba48afbc09a0f97ea788c69c47f6037a2b203f1c165faff10f78c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Visual Basic Script (vbs) vbs 3716c515929ba48afbc09a0f97ea788c69c47f6037a2b203f1c165faff10f78c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/49613/

Comments