MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ff75749c2d51435855afc23501105d259ed8213cd24085e1164f056ac2c2e05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ff75749c2d51435855afc23501105d259ed8213cd24085e1164f056ac2c2e05
SHA3-384 hash: 839efd1cbf86ee8181223b8a7c8fbd5130f0d04231cdab43502c48f5428241dc35f3cf1a61b097f0b7cecd2492045f3e
SHA1 hash: 2e4df7dcdf74f3f05330d3b6fb1600cecdee8bf2
MD5 hash: b47d42cd4867d9073658645208b3e061
humanhash: magnesium-music-nevada-leopard
File name:a.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:122'278 bytes
First seen:2023-04-12 12:01:00 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:JPX8kcF/OTS/1ZhJbF+t3WyfaXGxbMN75ro6B0Zg:h5Y1ZPb2A
Threatray 52 similar samples on MalwareBazaar
TLSH T1DEC3575328DE9CC8A3E17D434B9FA27E47F7F1A7543EA16954C80A0917D294EE8213E3
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter JAMESWT_WT
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381767/
Detection(s):
SecuriteInfo.com.VB.Heur.Dropper.1.88E43020.Gen.30118.31839.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
67%
Link:
https://www.filescan.io/uploads/64369d822e9d861072d65632/reports/403b6529-ba53-45bf-b407-237dd1ff1b5c/overview
Verdict:
Malicious
Labled as:
VB.Dropper.1.88E43020
Link:
https://www.hybrid-analysis.com/sample/5ff75749c2d51435855afc23501105d259ed8213cd24085e1164f056ac2c2e05
Result
Verdict:
MALICIOUS
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1212495
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Downloads files with wrong headers with respect to MIME Content-Type
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses the Telegram API (likely for C&C communication)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 845411 Sample: a.vbs Startdate: 12/04/2023 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 10 other signatures 2->42 7 wscript.exe 10 2->7         started        11 wscript.exe 7 2->11         started        process3 file4 28 C:\Users\user\...\a.vbs:Zone.Identifier, ASCII 7->28 dropped 30 C:\Users\user\AppData\Roaming\...\a.vbs, Unicode 7->30 dropped 44 VBScript performs obfuscated calls to suspicious functions 7->44 46 Suspicious powershell command line found 7->46 48 Wscript starts Powershell (via cmd or directly) 7->48 52 2 other signatures 7->52 13 powershell.exe 14 7 7->13         started        50 Very long command line found 11->50 17 powershell.exe 11->17         started        signatures5 process6 dnsIp7 34 45.88.67.75, 3333, 49695, 49697 LVLT-10753US Bulgaria 13->34 54 Writes to foreign memory regions 13->54 56 Injects a PE file into a foreign processes 13->56 19 MSBuild.exe 15 2 13->19         started        22 conhost.exe 13->22         started        24 jsc.exe 1 17->24         started        26 conhost.exe 17->26         started        signatures8 process9 dnsIp10 32 api.telegram.org 149.154.167.220, 443, 49696 TELEGRAMRU United Kingdom 19->32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ff75749c2d51435855afc23501105d259ed8213cd24085e1164f056ac2c2e05/
Threat name:
Script-WScript.Trojan.Minerva
Create hunting rule
Status:
Malicious
First seen:
2023-04-10 21:56:27 UTC
File Type:
Text (VBS)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l73vosoc2ukdlbk27qrvaeif2jm63aqtzusaqxqrmtyfnlbmfycq._file
Verdict:
malicious
Similar samples:
2c2526def5ac97d4f1d09403ef1febe5ecb0492de64c2d539db8760f2da27ad0
XWorm
35dcbe95b9ca79381e4d0a11561194439d554ed6e245b2e73700ece1f60fe884
XWorm
4b9d11ad0a32fd2d76d4d8e9256f13df37b7628df9eb50b21dd11016d0a4ca22
XWorm
57f4c5126700392a7d6e6fa24d8c8f1c9efcf960e3019a84237ae1b54f9e9c69
XWorm
644ba0805c354cc940caf1aa3ec0b62a1d9328fc214f84199ecb619093fcce1f
XWorm
7f8e216231c8e0e57f4d6e06edb5c20fbed0cfa36c44058ad5809935c4a06448
XWorm
8a6b09020b568e516c55e458e6e95b2a5d0dafa73b4efffcd46ef87b8e6371eb
XWorm
8acc5e78093d75cd1679b3314f7e79d8a3135a51a65d92d6fe36ed263e6a5860
XWorm
9d37536f15064024ca5a77a721f6650d2662db57d8fc7b0c6c723baf4bff4e63
XWorm
d3560973cf6d7a1faea04ff7aaabc5fac5c8e2c7d5aacbd2fae8423f118ad1ba
XWorm
+ 42 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230412-n6v4hsde6w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ff75749c2d5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ff75749c2d51435855afc23501105d259ed8213cd24085e1164f056ac2c2e05

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs
Rule name:SUSP_VBS_Wscript_Shell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon
Rule name:XWorm_Hunter
Create hunting rule
Author:Potato

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Visual Basic Script (vbs) vbs 5ff75749c2d51435855afc23501105d259ed8213cd24085e1164f056ac2c2e05

(this sample)

  
X
https://twitter.com/0xToxin/status/1645076370685411333?s=20
  
URLhaus
https://urlhaus.abuse.ch/url/2607005/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/381767/

Comments