MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ada9658d296a62753af80cc4b481277ac0dd5e8342b12d08d03481a8de9850b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ada9658d296a62753af80cc4b481277ac0dd5e8342b12d08d03481a8de9850b
SHA3-384 hash: 4e98d4c6930df615bafa5b443571e7846fbd1b0fb592aaa2120cf1ac635199e3c1515f022f210b98358d3e122c74a4a0
SHA1 hash: b137fd331ed6bf93d89564522bd4aef5d3f0ac98
MD5 hash: 6fcc42b6222a8d455878294e5b86f49b
humanhash: venus-summer-failed-early
File name:Project Documents (Drawings, Specifications, BOQ).vbe
Download: download sample
Signature XWorm
Create hunting rule
File size:133'607 bytes
First seen:2025-06-16 11:37:14 UTC
Last seen:2025-06-16 13:40:19 UTC
File type:Visual Basic Script (vbe) vbe
MIME type:text/plain
ssdeep 1536:l8mEzb/rgGpRrjDJkCkRFklYBtyo9hxUmleC3N:SbgGpdDJkCkRFkCyEheXmN
Threatray 1'629 similar samples on MalwareBazaar
TLSH T1BAD3B4237D0036BD5A376F53892AF81BE9B42173124D741D794CB4E00F36F0EA9B669A
Magika vba
Reporter cocaman
Tags:vbe xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
65
Origin country :
CH CH
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685001f08bd5d68a12e8cda4
Tags:
autorun xtreme shell sage
Verdict:
Malicious
Labled as:
PowerShell/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/3ada9658d296a62753af80cc4b481277ac0dd5e8342b12d08d03481a8de9850b
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1715474
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Found Tor onion address
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Reflective Assembly Load
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1715474 Sample: Project Documents (Drawings... Startdate: 16/06/2025 Architecture: WINDOWS Score: 100 56 shadow.steelpanman.com 2->56 58 archangel.wuaze.com 2->58 60 9 other IPs or domains 2->60 70 Suricata IDS alerts for network traffic 2->70 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 18 other signatures 2->76 10 wscript.exe 1 2->10         started        13 WDUpdater.exe 2 2->13         started        15 WDUpdater.exe 1 2->15         started        17 6 other processes 2->17 signatures3 process4 signatures5 92 Suspicious powershell command line found 10->92 94 Wscript starts Powershell (via cmd or directly) 10->94 96 Bypasses PowerShell execution policy 10->96 98 2 other signatures 10->98 19 powershell.exe 15 17 10->19         started        23 conhost.exe 13->23         started        25 conhost.exe 15->25         started        27 conhost.exe 17->27         started        29 conhost.exe 17->29         started        31 conhost.exe 17->31         started        33 conhost.exe 17->33         started        process6 dnsIp7 62 archangel.wuaze.com 185.27.134.120, 49696, 80 WILDCARD-ASWildcardUKLimitedGB United Kingdom 19->62 64 archive.org 207.241.224.2, 443, 49692 INTERNET-ARCHIVEUS United States 19->64 66 dn721404.ca.archive.org 204.62.246.237, 443, 49693 COGENT-174US United States 19->66 78 Found Tor onion address 19->78 80 Creates multiple autostart registry keys 19->80 82 Writes to foreign memory regions 19->82 84 2 other signatures 19->84 35 MSBuild.exe 1 5 19->35         started        40 MSBuild.exe 19->40         started        42 cmd.exe 2 19->42         started        44 2 other processes 19->44 signatures8 process9 dnsIp10 68 shadow.steelpanman.com 216.250.251.217, 49697, 8080 AS-TIERP-19019US United States 35->68 52 C:\Users\user\AppData\Roaming\WDUpdater.exe, PE32 35->52 dropped 86 Creates multiple autostart registry keys 35->86 46 schtasks.exe 1 35->46         started        88 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->88 90 Uses schtasks.exe or at.exe to add and modify task schedules 40->90 54 C:\Users\Public\Downloads\genitalia, data 42->54 dropped 48 conhost.exe 42->48         started        file11 signatures12 process13 process14 50 conhost.exe 46->50         started       
Score:
49%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/3ada9658d296a62753af80cc4b481277ac0dd5e8342b12d08d03481a8de9850b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ada9658d296a62753af80cc4b481277ac0dd5e8342b12d08d03481a8de9850b/
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-06-16 11:37:17 UTC
File Type:
Text (VBS)
AV detection:
4 of 24 (16.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hlnjmwgss2tcou5pqdgewsaso6wa3vpigqvrfuenanebvdpjqufq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
258168f70a3f2f1a7ce46dd548c13a8b4d822a14644da7b0dbc77118684eee3f
XWorm
2a6745ebfc8f6fe258dc62ab69457a53d97802336350ad54f723d232c2ca58c3
XWorm
3a33f0319f48278d3f16b75a7f66ce52d72ad79a65a81fbed386abb8a2b47329
XWorm
4600e1f35249611dce0f90e70df8f497e4e8d1201a5b92b514144dfddc521a5e
XWorm
63ba678815aecb8a822130ec04b4cf2869cc15baf8fe30c72814b84b6082aac7
XWorm
6e3b7e91cfd74e8c92b717a46ea27d3c0fdccc75be62bb5c2d8bc58c8acdd9bf
XWorm
9013007cca0b9c0b3c4d3b1e8a68a98cba219b8a54908a63e18f1531167d392d
XWorm
c82167abd7f99c79f6559f6e5f92db8afdb08d6ebabbd588b0f3c63beaead681
XWorm
dc433c8011e80188527c9debf83c0e5462eb46e716a765621f03755218683352
XWorm
ee6a640fc9f9d3e23cded0d543313c66467949737aab806f33cd86f9df744780
XWorm
error
XWorm
+ 1'619 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat trojan
Link:
https://tria.ge/reports/250616-pm114acj41/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ada9658d296a62753af80cc4b481277ac0dd5e8342b12d08d03481a8de9850b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

rar 5fae2cb6661491b52d88989b21c5a43fc833fc04f0f682ec0042b8c0557ea882

XWorm

Visual Basic Script (vbe) vbe 3ada9658d296a62753af80cc4b481277ac0dd5e8342b12d08d03481a8de9850b

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 5fae2cb6661491b52d88989b21c5a43fc833fc04f0f682ec0042b8c0557ea882
  
Dropped by
MD5 152c175b411efe940d4adbb10ac18970

Comments