MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d396ac219738c90a4d80fd423f91470994f2c13a49f7d20f0720e62a5734a0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d396ac219738c90a4d80fd423f91470994f2c13a49f7d20f0720e62a5734a0c
SHA3-384 hash: 1968e670b02410e44995a358f63b9e38ba1929b95ec64a7c69b2fe3b8dc6477323203fdb21d675c5c628af5338d3fa89
SHA1 hash: 7f8dad22e045cd14e4e59337d784e57fa8c12abf
MD5 hash: eefbf3700312a44c673c7724667f3566
humanhash: robert-bluebird-mobile-low
File name:screenshots.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:2'848 bytes
First seen:2024-02-08 07:13:16 UTC
Last seen:2024-02-08 15:52:59 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:js+h7Jlul4XHrluBckRHVsosoAuRFf8fa:P7iuXLE2kR1sosoBTf8fa
TLSH T1B6516E8277F82706F5F32A4959B860294E3F7D66983CC24C4298094E4FF3B029965FB3
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/475308/
Detection(s):
SecuriteInfo.com.Script.SNH-gen.1176.30910.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
nemucod virus
Link:
https://www.filescan.io/uploads/65c47f3eb4bd387cafd23545/reports/cb5e8d73-628f-424a-920e-48db92c5864a/overview
Verdict:
Malicious
Labled as:
VBS/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/5d396ac219738c90a4d80fd423f91470994f2c13a49f7d20f0720e62a5734a0c
Result
Verdict:
MALICIOUS
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
spre.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1388855
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1388855 Sample: screenshots.vbs Startdate: 08/02/2024 Architecture: WINDOWS Score: 100 34 greatrackspace8400.duckdns.org 2->34 36 paste.ee 2->36 38 uploaddeimagens.com.br 2->38 52 Snort IDS alert for network traffic 2->52 54 Multi AV Scanner detection for domain / URL 2->54 56 Found malware configuration 2->56 62 11 other signatures 2->62 10 wscript.exe 1 2->10         started        14 wscript.exe 2->14         started        16 wscript.exe 2->16         started        signatures3 58 Uses dynamic DNS services 34->58 60 Connects to a pastebin service (likely for C&C) 36->60 process4 dnsIp5 42 paste.ee 172.67.187.200, 443, 49705, 49706 CLOUDFLARENETUS United States 10->42 72 VBScript performs obfuscated calls to suspicious functions 10->72 74 Suspicious powershell command line found 10->74 76 Wscript starts Powershell (via cmd or directly) 10->76 80 3 other signatures 10->80 18 powershell.exe 7 10->18         started        78 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->78 signatures6 process7 signatures8 46 Suspicious powershell command line found 18->46 48 Suspicious execution chain found 18->48 50 Found suspicious powershell code related to unpacking or dynamic code loading 18->50 21 powershell.exe 15 16 18->21         started        25 conhost.exe 18->25         started        process9 dnsIp10 40 uploaddeimagens.com.br 104.21.45.138, 443, 49707 CLOUDFLARENETUS United States 21->40 64 Suspicious powershell command line found 21->64 66 Creates autostart registry keys with suspicious values (likely registry only malware) 21->66 68 Writes to foreign memory regions 21->68 70 Injects a PE file into a foreign processes 21->70 27 RegAsm.exe 3 21->27         started        30 powershell.exe 12 21->30         started        signatures11 process12 dnsIp13 44 greatrackspace8400.duckdns.org 94.156.65.113, 49709, 49712, 49717 TERASYST-ASBG Bulgaria 27->44 32 conhost.exe 30->32         started        process14
Score:
2%
Verdict:
Benign
File Type:
ASCII
Link:
https://malprob.io/report/5d396ac219738c90a4d80fd423f91470994f2c13a49f7d20f0720e62a5734a0c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d396ac219738c90a4d80fd423f91470994f2c13a49f7d20f0720e62a5734a0c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-02-07 20:25:38 UTC
File Type:
Text (VBS)
AV detection:
5 of 38 (13.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lu4wvqqzoogjbjgyb7kch6iuocmu6latuspx2ihqoihgfjltjiga._file
Verdict:
malicious
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm persistence rat trojan
Link:
https://tria.ge/reports/240208-h2m98aefam/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
greatrackspace8400.duckdns.org:8400
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.08
Link:
https://yomi.yoroi.company/submissions/5d396ac219738c90a4d80fd423f91470994f2c13a49f7d20f0720e62a5734a0c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

zip 170a64863ea4d4e5ffb1bfde801c315c1b12b3c34f4cb43872f63dbdb6da8285

XWorm

img 79896ab9ec1fad79d24bf3d9cea0565d06f2b0f8119af8d1d7da98f167cd399a

XWorm

Visual Basic Script (vbs) vbs 5d396ac219738c90a4d80fd423f91470994f2c13a49f7d20f0720e62a5734a0c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/475308/
  
Dropped by
SHA256 79896ab9ec1fad79d24bf3d9cea0565d06f2b0f8119af8d1d7da98f167cd399a
  
Dropped by
MD5 4b361e8c05f68aff9c1a5371ea9c52ab

Comments