MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38f22fadabc43752dca980f573ec4b0b66d585697e103f7b35ddba449babd941. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38f22fadabc43752dca980f573ec4b0b66d585697e103f7b35ddba449babd941
SHA3-384 hash: 23643250d92e23b5c1d5723a83d44a307a407973c74da4526988cd7f96389bb1621e5b9f5115f76c638cfc23b2f77ca0
SHA1 hash: 4061f73053c94517aa35472267cadc1550a94c20
MD5 hash: 93a5fd13caca347b56f027bd7cf3b813
humanhash: fanta-three-lake-sad
File name:acc.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:86'238 bytes
First seen:2026-03-18 13:43:03 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:t8EHzReHmhnsXIab/Wj9jcmi7G0khfwYrDxAiZPe9bJ:t8EHzUHm+XbWjCRCiileX
TLSH T10E834CB1DE5405960E0727AAFC552AB1CABDC55A462300F1FEDC531E900B6ACA7FE31E
Magika vba
Reporter smica83
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57986/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69baabf888c80c01586ba558
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 cmd lolbin obfuscated powershell
Link:
https://www.filescan.io/uploads/69baabf42000fc76c3e9871b/reports/8a41d0bc-e72e-441e-99a0-db05fce1ddf7/overview
Verdict:
Suspicious
Labled as:
Generik.HUDYRWO trojan
Link:
https://www.hybrid-analysis.com/sample/38f22fadabc43752dca980f573ec4b0b66d585697e103f7b35ddba449babd941
Verdict:
Malicious
File Type:
vbs
Detections:
UDS:DangerousObject.Multi.Generic HEUR:Trojan.VBS.Agent.gen
Link:
https://opentip.kaspersky.com/38f22fadabc43752dca980f573ec4b0b66d585697e103f7b35ddba449babd941/results?tab=lookup
Result
Threat name:
GuLoader, XWorm
Create hunting rule
Detection:
malicious
Classification:
phis.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1885698
Signature
AI detected malicious page (phishing or scam)
C2 URLs / IPs found in malware configuration
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a MSI (Microsoft Installer) remotely
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Switches to a custom stack to bypass stack traces
Unusual module load detection (module proxying)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1885698 Sample: acc.vbs Startdate: 18/03/2026 Architecture: WINDOWS Score: 100 52 shed.dual-low.part-0029.t-0009.t-msedge.net 2->52 54 part-0029.t-0009.t-msedge.net 2->54 56 7 other IPs or domains 2->56 68 Suricata IDS alerts for network traffic 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 7 other signatures 2->74 10 powershell.exe 18 2->10         started        13 wscript.exe 2 2->13         started        signatures3 process4 file5 76 Writes to foreign memory regions 10->76 78 Found suspicious powershell code related to unpacking or dynamic code loading 10->78 80 Installs a MSI (Microsoft Installer) remotely 10->80 88 2 other signatures 10->88 16 msiexec.exe 5 10 10->16         started        20 msiexec.exe 10->20         started        22 conhost.exe 10->22         started        46 C:\Users\user\AppData\Local\...\Vigtigts.txt, ASCII 13->46 dropped 82 VBScript performs obfuscated calls to suspicious functions 13->82 84 Wscript starts Powershell (via cmd or directly) 13->84 86 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->86 90 2 other signatures 13->90 24 cmd.exe 1 13->24         started        signatures6 process7 dnsIp8 48 217.217.251.213, 49726, 7000 COMUNITELSPAINES Spain 16->48 58 Obfuscated command line found 16->58 60 Installs a MSI (Microsoft Installer) remotely 16->60 26 cmd.exe 1 16->26         started        29 Acrobat.exe 59 16->29         started        31 msiexec.exe 16->31         started        62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->62 64 Unusual module load detection (module proxying) 20->64 66 Wscript starts Powershell (via cmd or directly) 24->66 33 powershell.exe 14 16 24->33         started        36 conhost.exe 24->36         started        signatures9 process10 dnsIp11 92 Obfuscated command line found 26->92 38 conhost.exe 26->38         started        40 reg.exe 1 1 26->40         started        42 AcroCEF.exe 93 29->42         started        50 dfsl.maharashtra.gov.in 103.8.188.85, 443, 49716, 49724 MHSDC2011-AS4thFloorNewAdministrativeBuildingIN India 33->50 94 Found suspicious powershell code related to unpacking or dynamic code loading 33->94 signatures12 process13 process14 44 AcroCEF.exe 42->44         started       
Score:
90%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/38f22fadabc43752dca980f573ec4b0b66d585697e103f7b35ddba449babd941
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38f22fadabc43752dca980f573ec4b0b66d585697e103f7b35ddba449babd941/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/38f22fadabc43752dca980f573ec4b0b66d585697e103f7b35ddba449babd941
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-03-17 17:57:12 UTC
File Type:
Text (VBS)
AV detection:
5 of 24 (20.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hdzc7lnlyq3vfxfjqd2xh3clbntnlbljpyid66zv3w5ejg5l3faq._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery persistence privilege_escalation rat trojan
Link:
https://tria.ge/reports/260318-q1c2vsaw5y/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks computer location settings
Use of msiexec (install) with remote resource
Badlisted process makes network request
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
217.217.251.213:7000
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/38f22fadabc43752dca980f573ec4b0b66d585697e103f7b35ddba449babd941

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

XWorm

Shortcut (lnk) lnk b05d4a40c8aa32ed95e92b93e4ba846b59ef36eea72309213ada50633023c67f

XWorm

Visual Basic Script (vbs) vbs 38f22fadabc43752dca980f573ec4b0b66d585697e103f7b35ddba449babd941

(this sample)

  
Dropped by
MD5 004eb763047b02f7811776863b415d25
Cape
Cape
https://www.capesandbox.com/analysis/57986/
  
Dropped by
SHA256 b05d4a40c8aa32ed95e92b93e4ba846b59ef36eea72309213ada50633023c67f

Comments