MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 604684d8a860ca44c0bb7a05797883b2dec1706667dd94b5e2448fbbf2cea622. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 604684d8a860ca44c0bb7a05797883b2dec1706667dd94b5e2448fbbf2cea622
SHA3-384 hash: 96babd7188d474d7c399c88cdbc72bb1d0eaf5627eda13cb59e2e08ec99fc31fd59c530e47d43aeb429a96b5ebbed7e7
SHA1 hash: 2a1dbba888beb77eb5c2d473a8751e638dd89ff4
MD5 hash: abbe86b2090df28ec71653c86a638f32
humanhash: eighteen-don-montana-colorado
File name:payments.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:50'498 bytes
First seen:2024-06-13 14:29:22 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 768:Ra1Fw72kwrfA9vsCP7pkYeDIOcJgzazqeWzR4hw7PGiWiQgFGdM+Vc:Rafw72kx7leVcZ+nVYES7gFGdM+Vc
Threatray 609 similar samples on MalwareBazaar
TLSH T185333BF606239D8F8B3B1D41E40C2201ECA9ECA3319A91ADBF454A9A8EE551CDD74DF4
Reporter Anonymous
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
US US
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=666b02e3da262547655f3876win7simulatehigh_evasion
Tags:
Banker Encryption Execution Network Stealth Dexter
Verdict:
Malicious
Labled as:
GT:VB.ObfDldr.28
Link:
https://www.hybrid-analysis.com/sample/604684d8a860ca44c0bb7a05797883b2dec1706667dd94b5e2448fbbf2cea622
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1456679
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Encrypted powershell cmdline option found
Found malware configuration
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Copy file to startup via Powershell
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Suspicious execution chain found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1456679 Sample: payments.vbs Startdate: 13/06/2024 Architecture: WINDOWS Score: 100 38 estrella1221.duckdns.org 2->38 40 Snort IDS alert for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 48 16 other signatures 2->48 8 wscript.exe 1 1 2->8         started        11 wscript.exe 1 2->11         started        signatures3 46 Uses dynamic DNS services 38->46 process4 signatures5 50 VBScript performs obfuscated calls to suspicious functions 8->50 52 Wscript starts Powershell (via cmd or directly) 8->52 54 Encrypted powershell cmdline option found 8->54 56 2 other signatures 8->56 13 powershell.exe 13 8->13         started        17 powershell.exe 23 8->17         started        20 powershell.exe 9 11->20         started        22 powershell.exe 11->22         started        process6 dnsIp7 32 C:\Users\user\...\chrome.vbs:Zone.Identifier, ASCII 13->32 dropped 34 C:\Users\user\AppData\Roaming\...\chrome.vbs, ASCII 13->34 dropped 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->58 60 Drops VBS files to the startup folder 13->60 24 conhost.exe 13->24         started        36 estrella1221.duckdns.org 95.211.139.183, 49731, 7000 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 17->36 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        file8 signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/604684d8a860ca44c0bb7a05797883b2dec1706667dd94b5e2448fbbf2cea622
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/604684d8a860ca44c0bb7a05797883b2dec1706667dd94b5e2448fbbf2cea622/
Threat name:
Script-WScript.Trojan.PShell
Create hunting rule
Status:
Malicious
First seen:
2024-06-13 14:30:07 UTC
File Type:
Text (VBS)
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mbdijwfimdfejqf3picxs6edwlpmc4dgm7ozjnpcish3x4wouyra._file
Verdict:
malicious
Similar samples:
3a7e38ecb369d0e5c7d26af8aebf9ef187173369ef6f145814e0f43f8ea2f7c6
XWorm
528d569e3c55bab9d8d7908bb70e51efa1532eaae2ce097a7884b5bf5e239726
XWorm
604684d8a860ca44c0bb7a05797883b2dec1706667dd94b5e2448fbbf2cea622
XWorm
9c05f5db3381fd617afd172cd2faf22b3ad21c23eaf2d90ecce03ddaca09a2c0
XWorm
bc1b38d36be44ff0b3f853d4cbfadc275bcf0898a9ca41607887b7d1eb2c124d
XWorm
+ 599 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/240613-rt6ahaxarm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
estrella1221.duckdns.org:7000
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/604684d8a860ca44c0bb7a05797883b2dec1706667dd94b5e2448fbbf2cea622

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_Reversed_Base64_Encoded_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an base64 encoded executable with reversed characters
Reference:Internal Research
Rule name:SUSP_Reversed_Base64_Encoded_EXE_RID3291
Create hunting rule
Author:Florian Roth
Description:Detects an base64 encoded executable with reversed characters
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments