MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88a2240dc335e8c8ee37e3618fe17d754776aee555dca59a97c4c2a7ee3226b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88a2240dc335e8c8ee37e3618fe17d754776aee555dca59a97c4c2a7ee3226b2
SHA3-384 hash: 5c5b21611f2cb09e6eb722ad5583aa72a616e0dcaf75de17695bfc482176ccb72b2aea42fb7e9c4cecb5fdce4508f923
SHA1 hash: dddd1bd7111817ae5e8134ee3114a73a033a8cb7
MD5 hash: ef5a1732d8ddf047b888c9b04055cf57
humanhash: stream-eleven-social-low
File name:sostener.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:2'279'726 bytes
First seen:2025-02-06 18:34:23 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:FPoQJDCcL3CE/9/vc4x467mPOCb7zM1vhxL:TQqy8c4i67PaAD
Threatray 2'178 similar samples on MalwareBazaar
TLSH T142B539DEDBC1410BE928EBC210561AB1EED13F4529474A7A789B903C34DD7FA39E1E60
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika mp3
Reporter Anonymous
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.GT.VB.Honolulu.1.FCA631BB.22077.23013.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a501b82dcee78dd819dad3
Tags:
xtreme shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive opendir opendir powershell
Link:
https://www.filescan.io/uploads/67a500e7a55c685dbbf1f54e/reports/ea52bbf3-861f-4e67-8fe8-d30ebecf185c/overview
Verdict:
Malicious
Labled as:
GT:VB.Honolulu.1
Link:
https://www.hybrid-analysis.com/sample/88a2240dc335e8c8ee37e3618fe17d754776aee555dca59a97c4c2a7ee3226b2
Result
Verdict:
MALICIOUS
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1608656
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Encrypted powershell cmdline option found
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1608656 Sample: sostener.vbs Startdate: 06/02/2025 Architecture: WINDOWS Score: 100 34 Gotemburgoxm.duckdns.org 2->34 36 paste.ee 2->36 38 2 other IPs or domains 2->38 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 52 15 other signatures 2->52 10 wscript.exe 1 2->10         started        signatures3 48 Uses dynamic DNS services 34->48 50 Connects to a pastebin service (likely for C&C) 36->50 process4 signatures5 60 VBScript performs obfuscated calls to suspicious functions 10->60 62 Suspicious powershell command line found 10->62 64 Wscript starts Powershell (via cmd or directly) 10->64 66 2 other signatures 10->66 13 powershell.exe 7 10->13         started        process6 signatures7 68 Suspicious powershell command line found 13->68 70 Encrypted powershell cmdline option found 13->70 72 Bypasses PowerShell execution policy 13->72 74 Found suspicious powershell code related to unpacking or dynamic code loading 13->74 16 powershell.exe 14 17 13->16         started        20 conhost.exe 13->20         started        process8 dnsIp9 32 91.202.233.169, 49715, 49716, 80 M247GB Russian Federation 16->32 30 C:\Users\user\AppData\Local\Temp\dll03.ps1, Unicode 16->30 dropped 22 powershell.exe 11 16->22         started        file10 process11 dnsIp12 40 paste.ee 23.186.113.60, 443, 49717 KLAYER-GLOBALNL Reserved 22->40 54 Writes to foreign memory regions 22->54 56 Potential dropper URLs found in powershell memory 22->56 58 Injects a PE file into a foreign processes 22->58 26 MSBuild.exe 2 22->26         started        28 MSBuild.exe 22->28         started        signatures13 process14
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/88a2240dc335e8c8ee37e3618fe17d754776aee555dca59a97c4c2a7ee3226b2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88a2240dc335e8c8ee37e3618fe17d754776aee555dca59a97c4c2a7ee3226b2/
Threat name:
Script-WScript.Trojan.Honolulu
Create hunting rule
Status:
Malicious
First seen:
2025-02-06 18:36:09 UTC
File Type:
Text (VBS)
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rcrcidodgxumr3rx4nqy7yl5ovdxnlxfkxoklguxytbkp3rse2za._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
06eb284366b1e9ef0cb5dde4f81e8ad974370d6ca1cf6e9969a9721ee5a6df2d
XWorm
39962cdef1efccb262b01e3bc41e4380ed1f925885f1a22178e505f5c440887a
XWorm
528d569e3c55bab9d8d7908bb70e51efa1532eaae2ce097a7884b5bf5e239726
XWorm
7a90a983879e6d6d0f3c18f7829dcc2d7832289af206a3e2d6f9890d7f1fc793
XWorm
8abca677b866c3f7bb95524230d490a9f33e98d1697a9f25bd0798f3e016f936
XWorm
error
XWorm
f7a08ebdae40fcb8cdc61a569fdf42b9e65d2dd8f88a4cca9cae0e632a3d8f53
XWorm
+ 2'168 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/250206-w8e43svlhk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/AD/dll.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88a2240dc335e8c8ee37e3618fe17d754776aee555dca59a97c4c2a7ee3226b2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments