MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 954123ad1e2ae6ab434e64d0f040d62b0de117735b60fcfc7507ca76c436e633. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 954123ad1e2ae6ab434e64d0f040d62b0de117735b60fcfc7507ca76c436e633
SHA3-384 hash: 60ba7dba6f9b69a8f84aa0d6251fd0f261a9b56e403eb0d1e8ceaceab98d0b374bb464b8f0ebd76796de846bd2c40530
SHA1 hash: c94a419538fd2e6b82b731c8a3e60b37336c5590
MD5 hash: ace97cffaf190af11e000b059e872473
humanhash: cat-white-princess-utah
File name:z1United_order_.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:71'695 bytes
First seen:2025-03-25 23:30:08 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:HJZkbmEKUgXEXzICKUnFNiq8ExWBMQt12F78ka:oHf/iTE+Bt8Z8ka
Threatray 2'125 similar samples on MalwareBazaar
TLSH T11663A4FDD7E1ECD00B66B0F3669D3B05209C8B53AB756B3DF4D8087D64D1A40AAB2588
Magika vba
Reporter FXOLabs
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
BR BR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan-Downloader.VBS.Agent.3366.3769.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e30f3ccb6d38a89f3e180f
Tags:
obfuscate autorun xtreme sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade obfuscated
Link:
https://www.filescan.io/uploads/67e33c88f274bf2d8e21999d/reports/50581712-81e1-40c7-aa48-07f6958f66e8/overview
Verdict:
Suspicious
Labled as:
BAT/Agent.AZY
Link:
https://www.hybrid-analysis.com/sample/954123ad1e2ae6ab434e64d0f040d62b0de117735b60fcfc7507ca76c436e633
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Result
Threat name:
Batch Injector, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1648590
Signature
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Batch Injector
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1648590 Sample: z1United_order_.vbs Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 71 freeetradingzone.duckdns.org 2->71 75 Suricata IDS alerts for network traffic 2->75 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 83 17 other signatures 2->83 9 wscript.exe 2 2->9         started        13 cmd.exe 1 2->13         started        15 cmd.exe 1 2->15         started        17 8 other processes 2->17 signatures3 81 Uses dynamic DNS services 71->81 process4 dnsIp5 65 C:\Users\user\AppData\...\temp_script.bat, ASCII 9->65 dropped 95 VBScript performs obfuscated calls to suspicious functions 9->95 97 Wscript starts Powershell (via cmd or directly) 9->97 99 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->99 101 Suspicious execution chain found 9->101 20 cmd.exe 1 9->20         started        23 MpCmdRun.exe 1 9->23         started        25 cmd.exe 1 13->25         started        27 conhost.exe 13->27         started        29 cmd.exe 1 15->29         started        31 conhost.exe 15->31         started        69 127.0.0.1 unknown unknown 17->69 33 cmd.exe 1 17->33         started        35 cmd.exe 1 17->35         started        37 12 other processes 17->37 file6 signatures7 process8 signatures9 85 Suspicious powershell command line found 20->85 87 Wscript starts Powershell (via cmd or directly) 20->87 89 Bypasses PowerShell execution policy 20->89 39 cmd.exe 2 20->39         started        42 conhost.exe 20->42         started        44 conhost.exe 23->44         started        46 conhost.exe 25->46         started        48 powershell.exe 25->48         started        50 2 other processes 29->50 52 2 other processes 33->52 54 2 other processes 35->54 56 10 other processes 37->56 process10 signatures11 91 Suspicious powershell command line found 39->91 93 Wscript starts Powershell (via cmd or directly) 39->93 58 powershell.exe 17 39->58         started        63 conhost.exe 39->63         started        process12 dnsIp13 73 freeetradingzone.duckdns.org 206.123.152.106, 3911, 49726 HVC-ASUS United States 58->73 67 C:\Users\user\...\StartupScript_176f6a5b.cmd, ASCII 58->67 dropped 103 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 58->103 105 Found suspicious powershell code related to unpacking or dynamic code loading 58->105 file14 signatures15
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/954123ad1e2ae6ab434e64d0f040d62b0de117735b60fcfc7507ca76c436e633
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/954123ad1e2ae6ab434e64d0f040d62b0de117735b60fcfc7507ca76c436e633/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=svashli6fltkwq2omtipaqgwfmg6cf3tlnqpz7dva7fhnrbw4yzq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
108cc8de775d1508ece81cb24d8aa5770b5760ddd3ecd27a341ab9f539d7950c
XWorm
3c22272754c28b6a59811b0317095e58411e3341144a7bccdcd38de156b608c6
XWorm
7487a3ebf201e047992676ccf53d756aa939f8a3b9b8a53d1ba870e3cdd63379
XWorm
954123ad1e2ae6ab434e64d0f040d62b0de117735b60fcfc7507ca76c436e633
XWorm
96999e6b25058815d6f3c9db2895011ae8c018925da6630dfefcd95ef754234f
XWorm
9b0a5807b705aecc86d4f02944944e51045852e915315136a7468cab0124f07b
XWorm
cf14a8622e9a0ab68011a62ee9e9ed33327ff924763fcd4a5f97c5fe8a6b8495
XWorm
d0947eae56860259ab301c62cfdcd0f8c77a59edadd82880b7fd743cf95a8e7a
XWorm
df56b2796d6a3dc1cb0dd449bde500ee024aba2cba51aec803f1d14672c2e6ce
XWorm
error
XWorm
+ 2'115 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/250325-3g82eatzhy/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
freeetradingzone.duckdns.org:3911
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/954123ad1e2a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/954123ad1e2ae6ab434e64d0f040d62b0de117735b60fcfc7507ca76c436e633

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Visual Basic Script (vbs) vbs 954123ad1e2ae6ab434e64d0f040d62b0de117735b60fcfc7507ca76c436e633

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments