MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8dacb47c69a35a199894f29a981969a46029c9256610ac3045c624959839aaf0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8dacb47c69a35a199894f29a981969a46029c9256610ac3045c624959839aaf0
SHA3-384 hash: 8659fb131ffa61a7ba6f423cbeefc387e60a8f609b9e719280e3cec59fe5606f4ea7b2c9fd1e22452f6ac81a53315e6e
SHA1 hash: 4833984bd62d7b48718b1d7f83d6e85ce096937d
MD5 hash: 26e14160a7c8b627faeb63960ab51b6f
humanhash: hydrogen-cola-freddie-sixteen
File name:SPECIFICATIONS.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:36'398 bytes
First seen:2025-08-21 07:10:04 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 768:ogUUZhjIiaDYmNAJXNNmqrrqOQKh0PcZ4DKYEMO00SCj9:ogZactJdNmqqOQKh0bKYfO0ZCj9
Threatray 47 similar samples on MalwareBazaar
TLSH T197F208AFBB8FE32A4D0405D4BF3794036D6CC271D2125718FE9D9D2E1845C9A8671EAC
Magika vba
Reporter abuse_ch
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22707/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a6c6be8fd55a79c5299d63
Tags:
ransomware xtreme shell
Verdict:
Unknown
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/68a6c7f2a4bdac9f5ba2586b/reports/d07d0952-b21f-47bf-a6e6-d56a9ae55645/overview
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/8dacb47c69a35a199894f29a981969a46029c9256610ac3045c624959839aaf0
Result
Threat name:
PureLog Stealer, SugarDump, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1761752
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Creates processes via WMI
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected SugarDump
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1761752 Sample: SPECIFICATIONS.vbs Startdate: 21/08/2025 Architecture: WINDOWS Score: 100 48 ia800901.us.archive.org 2->48 50 dn721601.ca.archive.org 2->50 52 archive.org 2->52 74 Suricata IDS alerts for network traffic 2->74 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 14 other signatures 2->80 9 powershell.exe 14 16 2->9         started        13 wscript.exe 2->13         started        15 wscript.exe 2->15         started        signatures3 process4 dnsIp5 54 213.209.150.111, 24680, 49721, 49722 KEMINETAL Germany 9->54 56 archive.org 207.241.224.2, 443, 49719, 49723 INTERNET-ARCHIVEUS United States 9->56 58 ia800901.us.archive.org 207.241.233.61, 443, 49720 INTERNET-ARCHIVEUS United States 9->58 82 Found Tor onion address 9->82 84 Writes to foreign memory regions 9->84 86 Injects a PE file into a foreign processes 9->86 17 aspnet_compiler.exe 3 5 9->17         started        21 cmd.exe 2 9->21         started        23 conhost.exe 9->23         started        88 Suspicious powershell command line found 13->88 90 Wscript starts Powershell (via cmd or directly) 13->90 92 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->92 94 2 other signatures 13->94 25 powershell.exe 15->25         started        signatures6 process7 dnsIp8 44 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 17->44 dropped 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->62 64 Tries to harvest and steal browser information (history, passwords, etc) 17->64 28 cmd.exe 1 17->28         started        46 C:\ProgramData\8ggZndAMhq.vbs, data 21->46 dropped 66 Command shell drops VBS files 21->66 30 conhost.exe 21->30         started        60 dn721601.ca.archive.org 204.62.247.20, 443, 49724 COGENT-174US United States 25->60 68 Found Tor onion address 25->68 70 Writes to foreign memory regions 25->70 72 Injects a PE file into a foreign processes 25->72 32 aspnet_compiler.exe 1 25->32         started        34 conhost.exe 25->34         started        36 aspnet_compiler.exe 25->36         started        38 aspnet_compiler.exe 25->38         started        file9 signatures10 process11 process12 40 conhost.exe 28->40         started        42 timeout.exe 1 28->42         started       
Score:
9%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/8dacb47c69a35a199894f29a981969a46029c9256610ac3045c624959839aaf0
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8dacb47c69a35a199894f29a981969a46029c9256610ac3045c624959839aaf0/
Threat name:
Script-WScript.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2025-08-20 10:51:52 UTC
File Type:
Text (VBS)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rwwli7djunnbtgeu6knjqgljurqctsjfmyikymcfyysjlgbzvlya._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
1d77f0c7f93f79c5884c8731ff55c8ebb23fdf112e927851abd8ef3b73d130d7
XWorm
1eb765ddbcf4fc19d9f2d77ec340f635bb9bd57f7b9b5ed2f78b9a10d2882c32
XWorm
34d6e23994ad8b890e50be8487a4a405310f1616df5e23b1639e5fbc540deffc
XWorm
56b4683889bc8c9a8cbceb1b9d5a87d6eb6f6f801adb95770d44a7ffdc3f69bf
XWorm
90e1d6f51384ef537001661e31850e2b749fc8d5e25141f09c044a77ab5ecdeb
XWorm
93be4f52f2c44e85adf3f22f274d52ceb21c064f823f06007c09e8e652333ee6
XWorm
9b37f9c137e7c8e068f6eb375ef9a32dec6b4021a35115958c2257935c26a412
XWorm
a0c2c6d32c1fa057b2ee2d134990886f30fbb8354c32fc35d20016d5be0c7df4
XWorm
ae2d970394457d9ad893549bc338ec70283e04cb30471d5fdb72e15d9cb582c1
XWorm
b69f4c2ebdcbcea71ca8a036e80828196387d03e1a1c781107ca2bdb3a769f0d
XWorm
error
XWorm
+ 37 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion discovery execution persistence rat trojan
Link:
https://tria.ge/reports/250821-h37egs1l14/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Modifies trusted root certificate store through registry
Detect Xworm Payload
Process spawned unexpected child process
Xworm
Xworm family
Malware Config
C2 Extraction:
213.209.150.111:24680
Dropper Extraction:
https://archive.org/download/optimized_msi_20250814/optimized_MSI.png
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/22707/

Comments