MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40ecd87f03421f02f30dafe7a4613d7c588fd90931b7682f7126cda3a3032971. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40ecd87f03421f02f30dafe7a4613d7c588fd90931b7682f7126cda3a3032971
SHA3-384 hash: 9d47882ba26e49e39e13d5eb2442ff150aa1671cc530f3e3b41fa96215b23b1d1993940460f50810e076a4cb806bddc4
SHA1 hash: 7b3e5448d43b7da5af89761cae89d1fdeedc5e80
MD5 hash: 00dc219feecbedb511916379882b05b6
humanhash: grey-delta-single-september
File name:BBVA S.A..PDF.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:94'482 bytes
First seen:2025-11-20 07:05:38 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 768:JoRiswsaleabwAoPmCzJAyFivVdQhcSyjAaC7Q77vYNsCvALNOk8ma:ANhoxOkk
Threatray 766 similar samples on MalwareBazaar
TLSH T1E19327925BE834C4988D2CB7618701770B2254FA0863C9F3872E62DA5DC7798E8D4F9F
Magika vba
Reporter abuse_ch
Tags:BBVA vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38771/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691ebdf840055a3d310dfaa1
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 base64 fingerprint masquerade obfuscated obfuscated opendir overlay powershell
Link:
https://www.filescan.io/uploads/691ebdf4c5f3061c4067a224/reports/13ba0de4-4c20-445c-9a69-7dcc0a65e59e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/40ecd87f03421f02f30dafe7a4613d7c588fd90931b7682f7126cda3a3032971
Verdict:
Malicious
File Type:
vbs
First seen:
2025-11-18T03:50:00Z UTC
Last seen:
2025-11-21T22:41:00Z UTC
Hits:
~1000
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/40ecd87f03421f02f30dafe7a4613d7c588fd90931b7682f7126cda3a3032971/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1817516
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates processes via WMI
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected MSILDownloaderGeneric
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1817516 Sample: BBVA S.A..PDF.vbs Startdate: 20/11/2025 Architecture: WINDOWS Score: 100 42 ia601700.us.archive.org 2->42 44 bg.microsoft.map.fastly.net 2->44 52 Suricata IDS alerts for network traffic 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 14 other signatures 2->58 8 powershell.exe 14 16 2->8         started        12 wscript.exe 2->12         started        14 wscript.exe 2->14         started        16 svchost.exe 1 1 2->16         started        signatures3 process4 dnsIp5 46 91.92.243.152, 23101, 49695, 49696 THEZONEBG Bulgaria 8->46 48 ia601700.us.archive.org 207.241.227.90, 49694, 49697, 80 INTERNET-ARCHIVEUS United States 8->48 74 Writes to foreign memory regions 8->74 76 Injects a PE file into a foreign processes 8->76 78 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->78 18 aspnet_compiler.exe 1 3 8->18         started        22 aspnet_compiler.exe 8->22         started        24 cmd.exe 2 8->24         started        26 conhost.exe 8->26         started        80 Suspicious powershell command line found 12->80 82 Wscript starts Powershell (via cmd or directly) 12->82 84 Suspicious execution chain found 12->84 86 Creates processes via WMI 12->86 88 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->88 28 powershell.exe 14->28         started        50 127.0.0.1 unknown unknown 16->50 signatures6 process7 file8 38 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 18->38 dropped 60 Tries to steal Mail credentials (via file / registry access) 18->60 62 Tries to harvest and steal browser information (history, passwords, etc) 18->62 30 WerFault.exe 21 18->30         started        64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->64 66 Unusual module load detection (module proxying) 22->66 40 C:\ProgramData\zs2viGlt9I.vbs, Unicode 24->40 dropped 68 Command shell drops VBS files 24->68 32 conhost.exe 24->32         started        70 Writes to foreign memory regions 28->70 72 Injects a PE file into a foreign processes 28->72 34 aspnet_compiler.exe 1 28->34         started        36 conhost.exe 28->36         started        signatures9 process10
Score:
95%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/40ecd87f03421f02f30dafe7a4613d7c588fd90931b7682f7126cda3a3032971
Verdict:
Malware
YARA:
1 match(es)
Tags:
OlePrn.DSPrintQueue.1 Scripting.FileSystemObject VBScript
Link:
https://app.malva.re/file/00dc219feecbedb511916379882b05b6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40ecd87f03421f02f30dafe7a4613d7c588fd90931b7682f7126cda3a3032971/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/40ecd87f03421f02f30dafe7a4613d7c588fd90931b7682f7126cda3a3032971
Threat name:
Script-WScript.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2025-11-18 12:03:15 UTC
File Type:
Binary
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=idwnq7ydiipqf4ynv7t2iyj5prmi7wijgg3wql3re3g2hiydffyq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
3a444e7690f35fee4be070d0656bc7f0adab9bdcec798d5af27fc3c93e08f611
XWorm
443b622bf284eaeef344977d418424d0fd729dc1d5fb90f8a9664d8995086ed7
XWorm
5cdcdc7a4dccf4f3aa5d6989eca5b0f470148eef49cd0d603065cb602d19ffbd
XWorm
61c99aca559a36c194dac72b7871716b26722cbcc3510e77f9354d942f0cf021
XWorm
699b91f69cd0d059794175c55675ad931a2eaa18cb713523265429da6b021633
XWorm
c87a4f4c99917154abddc5b4dd46c3c3664e740b4435911361ba8786c51e3f2f
XWorm
error
XWorm
f082791d3a71054e2becd94d68323ff2cbe2e597d94fc6135a3a8b524a179e4e
XWorm
+ 756 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm collection defense_evasion discovery execution persistence rat spyware trojan
Link:
https://tria.ge/reports/251120-hxbevsdj3t/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Modifies trusted root certificate store through registry
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Process spawned unexpected child process
Xworm
Xworm family
Malware Config
C2 Extraction:
91.92.243.152:23101
Dropper Extraction:
http://ia601700.us.archive.org/35/items/optimized_msi_20251117_2249/optimized_MSI.png
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40ecd87f03421f02f30dafe7a4613d7c588fd90931b7682f7126cda3a3032971

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/38771/

Comments