MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 616b960b0c5d83d84913e281c97a9ca16ffbb76d5e34e766c2242ff0782cbf5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 616b960b0c5d83d84913e281c97a9ca16ffbb76d5e34e766c2242ff0782cbf5a
SHA3-384 hash: da8ca2e3a9d1da7653ce479b2f5a2b9bf180d742b3fc8415af63d20593427c125459df78888ff3893fe5c2b261a90207
SHA1 hash: cff7fecf96e20b1a7329f3b429eba6009d7280f8
MD5 hash: eafc03f0a2c9407e5ba052d1b5d34ced
humanhash: nitrogen-quiet-orange-mexico
File name:PO-S25001681921506052025.PDF.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:120'756 bytes
First seen:2025-06-05 06:15:22 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:HryIKTLsh9o6Z0BGJx+HhPQXLrnmGHSzAMkmMuYJMhCVwRV/DwCdw64H5qwW5ccz:HuWZ0BNxQXLRHS+MhC6nBfw/WunicE
Threatray 771 similar samples on MalwareBazaar
TLSH T10BC3F13742AB3EA458A56D4991857C562FADBA931E1C8056BF8134DF07FD6388D20FF0
Magika vba
Reporter abuse_ch
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/7415/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30450.JsHeur.ExeObj.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.26270.JsHeur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6841375b8bd5d68a12e56805
Tags:
dropper virus agent
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug base64 dropper evasive masquerade obfuscated obfuscated packed packed
Link:
https://www.filescan.io/uploads/6841360f171e01f95936a936/reports/00639e46-0f1d-48cd-abac-e29f74c02095/overview
Verdict:
Suspicious
Labled as:
TrojanDropper/Agent.fg
Link:
https://www.hybrid-analysis.com/sample/616b960b0c5d83d84913e281c97a9ca16ffbb76d5e34e766c2242ff0782cbf5a
Result
Threat name:
AsyncRAT, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1706881
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Drops PE files to the document folder of the user
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (has network functionality)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
System process connects to network (likely due to code injection or exploit)
Uses an obfuscated file name to hide its real file extension (double extension)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1706881 Sample: PO-S25001681921506052025.PDF.vbs Startdate: 05/06/2025 Architecture: WINDOWS Score: 100 37 pastebin.com 2->37 39 ax-0003.ax-msedge.net 2->39 41 3 other IPs or domains 2->41 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for submitted file 2->57 61 11 other signatures 2->61 10 wscript.exe 3 4 2->10         started        14 explorer.exe 67 134 2->14         started        signatures3 59 Connects to a pastebin service (likely for C&C) 37->59 process4 dnsIp5 33 PO-S25001681921506...vbs:Zone.Identifier, ASCII 10->33 dropped 35 C:\Users\...\PO-S25001681921506052025.PDF.vbs, ASCII 10->35 dropped 75 Benign windows process drops PE files 10->75 77 VBScript performs obfuscated calls to suspicious functions 10->77 79 Drops PE files to the document folder of the user 10->79 85 3 other signatures 10->85 17 wscript.exe 2 10->17         started        49 ax-0003.ax-msedge.net 150.171.27.12, 443, 49700 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 14->49 81 System process connects to network (likely due to code injection or exploit) 14->81 83 Query firmware table information (likely to detect VMs) 14->83 file6 signatures7 process8 file9 31 C:\Users\user\Documents\Update\Update.exe, PE32+ 17->31 dropped 51 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->51 21 Update.exe 1 17->21         started        signatures10 process11 signatures12 63 Multi AV Scanner detection for dropped file 21->63 65 Contains functionality to inject threads in other processes 21->65 67 Injects code into the Windows Explorer (explorer.exe) 21->67 69 3 other signatures 21->69 24 explorer.exe 30 11 21->24 injected process13 dnsIp14 43 185.157.161.184, 49693, 6770 OBE-EUROPEObenetworkEuropeSE Sweden 24->43 45 204.79.197.203, 443 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->45 47 pastebin.com 104.22.68.199, 443, 49692 CLOUDFLARENETUS United States 24->47 71 System process connects to network (likely due to code injection or exploit) 24->71 73 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->73 28 Update.exe 24->28         started        signatures15 process16 signatures17 87 Injects code into the Windows Explorer (explorer.exe) 28->87 89 Writes to foreign memory regions 28->89 91 Allocates memory in foreign processes 28->91 93 Creates a thread in another existing process (thread injection) 28->93
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/616b960b0c5d83d84913e281c97a9ca16ffbb76d5e34e766c2242ff0782cbf5a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/616b960b0c5d83d84913e281c97a9ca16ffbb76d5e34e766c2242ff0782cbf5a/
Threat name:
Script-WScript.Backdoor.Xworm
Create hunting rule
Status:
Malicious
First seen:
2025-06-05 02:06:44 UTC
File Type:
Text (VBS)
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mfvzmcymlwb5qsit4ka4s6u4ufx7xn3nly2oozwceqx7a6bmx5na._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
xworm
Create hunting rule
Similar samples:
057dbd5bc383ce05a385313edfa5e5e46c2ac152832afff27965ee57aa25dffc
XWorm
158d34bbfe57b08b35253dc093ce5555facdefbcdd19abe09a61b79e6ef83e47
XWorm
314d8cb6f584f4c81077371a7a1cb7bacfe8e20f9345937b711a1bc3bef51770
XWorm
4f83277bc1fc67b711e3ffa9bbcb366eeb98f6d9df4348a18582c9a95c45124b
XWorm
616b960b0c5d83d84913e281c97a9ca16ffbb76d5e34e766c2242ff0782cbf5a
XWorm
8a10eec1f7fd5b66ad2095eaa8481e9bfd6669033af3233c4bfeaf5a1de9ff3a
XWorm
9448e34026c764d35fbc1cdd093a26a33c70769674fb719561bc187f653f324d
XWorm
d08c0197f69f9b77a3396a6f07c4432ed0bc3e5e0e450aed5f14f1aa42eda53e
XWorm
df2d7b37fe38ea380215d40fbb5f4d8ca76f86e733b873dacb58c3921064d403
XWorm
error
XWorm
+ 761 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:xworm loader persistence rat trojan
Link:
https://tria.ge/reports/250605-gz8mpssybv/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Enumerates physical storage devices
Adds Run key to start application
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Boot or Logon Autostart Execution: Active Setup
Detect Xworm Payload
Detects DonutLoader
DonutLoader
Donutloader family
Xworm
Xworm family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.73
Link:
https://yomi.yoroi.company/submissions/616b960b0c5d83d84913e281c97a9ca16ffbb76d5e34e766c2242ff0782cbf5a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/7415/

Comments