MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7487a3ebf201e047992676ccf53d756aa939f8a3b9b8a53d1ba870e3cdd63379. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7487a3ebf201e047992676ccf53d756aa939f8a3b9b8a53d1ba870e3cdd63379
SHA3-384 hash: 20a792d6b1ac9a8f4755224038c17450baad57b173faad4ab6dc61900166c8722156790ff5e6a096fad621250cbd624a
SHA1 hash: 5574c14a09b0151c49bcc1bda2af6a58fc443aab
MD5 hash: 8e4f1c77218812742ec7ec0b4c7628bf
humanhash: violet-spring-gee-kilo
File name:awb_documents_bl_delivery_25_03_2025_0000000-pdf.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:71'695 bytes
First seen:2025-03-25 08:16:12 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:POllrmzcZjcypVfhuRcJcXs+xQ9P/U6ZkbmEKUgXEXzICKUnFvDkBK:2llSzNypVfnW2ZUDHfNb
Threatray 2'093 similar samples on MalwareBazaar
TLSH T1AF63A4FDC7F0ACD5072AF0E3626D3F02145C8753AA65AB3DF4C9097E68D1640AAB96C4
Magika vba
Reporter abuse_ch
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan-Downloader.VBS.Agent.29127.27331.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e2666cacb044ea849eabf2
Tags:
obfuscate autorun xtreme sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade obfuscated
Link:
https://www.filescan.io/uploads/67e26656a08e28b31da82d58/reports/13a4e0cc-7f33-4c69-8a28-9aaa6d851aab/overview
Verdict:
Suspicious
Labled as:
BAT/Agent.AZY
Link:
https://www.hybrid-analysis.com/sample/7487a3ebf201e047992676ccf53d756aa939f8a3b9b8a53d1ba870e3cdd63379
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Result
Threat name:
Batch Injector, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1647797
Signature
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Batch Injector
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1647797 Sample: awb_documents_bl_delivery_2... Startdate: 25/03/2025 Architecture: WINDOWS Score: 100 71 freeetradingzone.duckdns.org 2->71 75 Suricata IDS alerts for network traffic 2->75 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 83 18 other signatures 2->83 9 wscript.exe 2 2->9         started        13 cmd.exe 1 2->13         started        15 cmd.exe 1 2->15         started        17 8 other processes 2->17 signatures3 81 Uses dynamic DNS services 71->81 process4 dnsIp5 65 C:\Users\user\AppData\...\temp_script.bat, ASCII 9->65 dropped 95 VBScript performs obfuscated calls to suspicious functions 9->95 97 Wscript starts Powershell (via cmd or directly) 9->97 99 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->99 101 Suspicious execution chain found 9->101 20 cmd.exe 1 9->20         started        23 cmd.exe 1 13->23         started        25 conhost.exe 13->25         started        27 cmd.exe 1 15->27         started        29 conhost.exe 15->29         started        69 127.0.0.1 unknown unknown 17->69 31 cmd.exe 1 17->31         started        33 cmd.exe 1 17->33         started        35 cmd.exe 1 17->35         started        37 11 other processes 17->37 file6 signatures7 process8 signatures9 85 Suspicious powershell command line found 20->85 87 Wscript starts Powershell (via cmd or directly) 20->87 89 Bypasses PowerShell execution policy 20->89 39 cmd.exe 2 20->39         started        42 conhost.exe 20->42         started        44 conhost.exe 23->44         started        46 powershell.exe 23->46         started        48 2 other processes 27->48 50 2 other processes 31->50 52 2 other processes 33->52 54 2 other processes 35->54 56 8 other processes 37->56 process10 signatures11 91 Suspicious powershell command line found 39->91 93 Wscript starts Powershell (via cmd or directly) 39->93 58 powershell.exe 17 39->58         started        63 conhost.exe 39->63         started        process12 dnsIp13 73 freeetradingzone.duckdns.org 206.123.152.107, 3911 HVC-ASUS United States 58->73 67 C:\Users\user\...\StartupScript_e5aa5426.cmd, ASCII 58->67 dropped 103 Found suspicious powershell code related to unpacking or dynamic code loading 58->103 file14 signatures15
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7487a3ebf201e047992676ccf53d756aa939f8a3b9b8a53d1ba870e3cdd63379
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7487a3ebf201e047992676ccf53d756aa939f8a3b9b8a53d1ba870e3cdd63379/
Threat name:
Script-WScript.Backdoor.Xworm
Create hunting rule
Status:
Suspicious
First seen:
2025-03-25 08:16:23 UTC
File Type:
Text (VBS)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=osd2h27sahqepgjgo3gpkplvnkutt6fdxg4kkpi3vbyohtowgn4q._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
108cc8de775d1508ece81cb24d8aa5770b5760ddd3ecd27a341ab9f539d7950c
XWorm
39310dd2eaae889d46e05ad8d231a6da7977e7b47d864ed0b5db0b66b2f57010
XWorm
7b79046511bb3e926c5c91db54dae79c06bc19f7d7cdfcfe6df9627eb257cac7
XWorm
8be80c2c475e56e5cf4352b55d95d859d4816548052309ad41cfd01e86615be7
XWorm
9b0a5807b705aecc86d4f02944944e51045852e915315136a7468cab0124f07b
XWorm
a0426333807dd8de6f38d77aca0fce5ff99e5231c6f5be5398410470dfd2b756
XWorm
d0947eae56860259ab301c62cfdcd0f8c77a59edadd82880b7fd743cf95a8e7a
XWorm
df56b2796d6a3dc1cb0dd449bde500ee024aba2cba51aec803f1d14672c2e6ce
XWorm
error
XWorm
+ 2'083 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/250325-j59hass1hy/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
freeetradingzone.duckdns.org:3911
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7487a3ebf201/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7487a3ebf201e047992676ccf53d756aa939f8a3b9b8a53d1ba870e3cdd63379

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments