MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3768c32a3502eb25fc0b0198ceb5953635d6def683ce281bb8289b01f656e5b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3768c32a3502eb25fc0b0198ceb5953635d6def683ce281bb8289b01f656e5b4
SHA3-384 hash: 158860ea2879cf4f5b97bc0b923c5254b878e1c93080dde3e237c665d4f00f926c7e43a9171d17d79d0769bec4d700ed
SHA1 hash: b1085d24141ee0beacc5b87f9930477fd275e4e2
MD5 hash: 70e5121f4025aec517945ea2fbdbaa97
humanhash: freddie-queen-quebec-xray
File name:awb_DHL_shipping_document_bl_inv_packing_commerical_docs_21_01_202600000000000000000000000000000000000000000000000000000000000000000000000.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:17'532 bytes
First seen:2026-01-21 15:09:41 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:KvgawOZUIeUF6j5FZmfpAYGDbjloeWDG5+ivF4MQ8P718+RwZAzE4liMcnI4imL1:KYx1H35FZ2i3Jo+Vvu78u63lid2ON
Threatray 1 similar samples on MalwareBazaar
TLSH T1ED72D821CA09EFF0467E6292684F6C1A59121B11EA34374D798FF89C3B3A261DFC14E9
Magika vba
Reporter lowmal3
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49658/
Detection(s):
TwinWave.EvilVBA.LostAtSeaFuncInDirection.20240306.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6970ec45f3cf908ba5070f50
Tags:
xtreme shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 masquerade obfuscated obfuscated powershell
Link:
https://www.filescan.io/uploads/6970ec3df3c1b7b1fbd935c0/reports/7f666033-0510-4d69-98f3-555f11fb69a3/overview
Verdict:
Malicious
Labled as:
VBS/Agent.TGD trojan
Link:
https://www.hybrid-analysis.com/sample/3768c32a3502eb25fc0b0198ceb5953635d6def683ce281bb8289b01f656e5b4
Verdict:
Malicious
File Type:
vbs
First seen:
2026-01-21T12:05:00Z UTC
Last seen:
2026-01-23T08:07:00Z UTC
Hits:
~100
Detections:
Trojan-Downloader.PowerShell.NanoShield.sb Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/3768c32a3502eb25fc0b0198ceb5953635d6def683ce281bb8289b01f656e5b4/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1855016
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1855016 Sample: ommerical_docs_21_01_202600... Startdate: 21/01/2026 Architecture: WINDOWS Score: 100 48 xxblessing2026now.duckdns.org 2->48 50 habibjee.store 2->50 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 64 15 other signatures 2->64 9 wscript.exe 1 2->9         started        12 svchost.exe 2->12         started        14 svchost.exe 2 2->14         started        16 4 other processes 2->16 signatures3 62 Uses dynamic DNS services 48->62 process4 signatures5 74 VBScript performs obfuscated calls to suspicious functions 9->74 76 Suspicious powershell command line found 9->76 78 Wscript starts Powershell (via cmd or directly) 9->78 82 2 other signatures 9->82 18 powershell.exe 14 24 9->18         started        80 Changes security center settings (notifications, updates, antivirus, firewall) 12->80 23 MpCmdRun.exe 1 12->23         started        25 conhost.exe 14->25         started        27 conhost.exe 16->27         started        process6 dnsIp7 52 habibjee.store 104.21.73.252, 443, 49721 CLOUDFLARENETUS United States 18->52 42 C:\Users\user\AppData\...\milkps5u.cmdline, Unicode 18->42 dropped 66 Writes to foreign memory regions 18->66 68 Modifies the context of a thread in another process (thread injection) 18->68 70 Suspicious execution chain found 18->70 72 Injects a PE file into a foreign processes 18->72 29 RegAsm.exe 1 4 18->29         started        34 csc.exe 3 18->34         started        36 conhost.exe 18->36         started        38 conhost.exe 23->38         started        file8 signatures9 process10 dnsIp11 54 xxblessing2026now.duckdns.org 185.167.61.11, 3025, 49724 INETLTDTR Turkey 29->54 44 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 29->44 dropped 84 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->84 86 Drops PE files with benign system names 29->86 46 C:\Users\user\AppData\Local\...\milkps5u.dll, PE32 34->46 dropped 40 cvtres.exe 1 34->40         started        file12 signatures13 process14
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/3768c32a3502eb25fc0b0198ceb5953635d6def683ce281bb8289b01f656e5b4
Verdict:
Malware
YARA:
1 match(es)
Tags:
VBScript WScript.Network
Link:
https://app.malva.re/file/70e5121f4025aec517945ea2fbdbaa97
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3768c32a3502eb25fc0b0198ceb5953635d6def683ce281bb8289b01f656e5b4/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/3768c32a3502eb25fc0b0198ceb5953635d6def683ce281bb8289b01f656e5b4
Threat name:
Script-WScript.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2026-01-21 15:09:54 UTC
File Type:
Text (VBS)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g5umgkrvalvsl7alagmm5nmvgy25nxxwqphcqg5yfcnqd5sw4w2a._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
error
XWorm
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat trojan
Link:
https://tria.ge/reports/260121-sjw5hsbs3e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Badlisted process makes network request
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
xxblessing2026now.duckdns.org:3025
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3768c32a3502eb25fc0b0198ceb5953635d6def683ce281bb8289b01f656e5b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Visual Basic Script (vbs) vbs 3768c32a3502eb25fc0b0198ceb5953635d6def683ce281bb8289b01f656e5b4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/49658/

Comments