MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b0a5807b705aecc86d4f02944944e51045852e915315136a7468cab0124f07b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b0a5807b705aecc86d4f02944944e51045852e915315136a7468cab0124f07b
SHA3-384 hash: 0ce19fa6987788128b1d3915a69525a7ca282168593fa37877a119c9542b4ab4724adebaaf7fee46481bc99fdd5c756d
SHA1 hash: c235a5ed8e0a58b95a9cb8216706d68300a5f8f5
MD5 hash: 8d02de6b0e601a3bd5fc8374feca46c1
humanhash: california-fillet-one-item
File name:awb_documents_delivery_25_03_2025_0000000-pdf.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:71'695 bytes
First seen:2025-03-25 06:41:07 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:TGPrZkbmEKUgXEXzICKUnFroUMnja4ORSw4q9Cvo9UHYCK:TGPGHfBkH/wr9uo9UG
Threatray 2'089 similar samples on MalwareBazaar
TLSH T1146392FDC3E1ACD0072AB0E3636C3F46109C8B63BB696B3DF5C4083D64D1654AAB5699
Magika vba
Reporter abuse_ch
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan-Downloader.VBS.Agent.20270.27936.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e250dcbb84e066269ee7b1
Tags:
obfuscate autorun xtreme sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade obfuscated
Link:
https://www.filescan.io/uploads/67e250223e6805386cffce1d/reports/b2e3cb10-6beb-43ce-b99c-579b9f928faf/overview
Verdict:
Malicious
Labled as:
BAT/Agent.AZY
Link:
https://www.hybrid-analysis.com/sample/9b0a5807b705aecc86d4f02944944e51045852e915315136a7468cab0124f07b
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Result
Threat name:
Batch Injector, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1647727
Signature
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Batch Injector
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1647727 Sample: awb_documents_delivery_25_0... Startdate: 25/03/2025 Architecture: WINDOWS Score: 100 68 freeetradingzone.duckdns.org 2->68 72 Suricata IDS alerts for network traffic 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 80 20 other signatures 2->80 9 wscript.exe 2 2->9         started        13 cmd.exe 1 2->13         started        15 cmd.exe 1 2->15         started        17 7 other processes 2->17 signatures3 78 Uses dynamic DNS services 68->78 process4 file5 64 C:\Users\user\AppData\...\temp_script.bat, ASCII 9->64 dropped 92 VBScript performs obfuscated calls to suspicious functions 9->92 94 Wscript starts Powershell (via cmd or directly) 9->94 96 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->96 98 Suspicious execution chain found 9->98 19 cmd.exe 1 9->19         started        22 cmd.exe 1 13->22         started        24 conhost.exe 13->24         started        26 cmd.exe 1 15->26         started        28 conhost.exe 15->28         started        30 cmd.exe 1 17->30         started        32 cmd.exe 1 17->32         started        34 cmd.exe 1 17->34         started        36 11 other processes 17->36 signatures6 process7 signatures8 82 Suspicious powershell command line found 19->82 84 Wscript starts Powershell (via cmd or directly) 19->84 86 Bypasses PowerShell execution policy 19->86 38 cmd.exe 2 19->38         started        41 conhost.exe 19->41         started        43 conhost.exe 22->43         started        45 powershell.exe 22->45         started        47 2 other processes 26->47 49 2 other processes 30->49 51 2 other processes 32->51 53 2 other processes 34->53 55 8 other processes 36->55 process9 signatures10 88 Suspicious powershell command line found 38->88 90 Wscript starts Powershell (via cmd or directly) 38->90 57 powershell.exe 17 38->57         started        62 conhost.exe 38->62         started        process11 dnsIp12 70 freeetradingzone.duckdns.org 206.123.152.105, 3911, 49716 HVC-ASUS United States 57->70 66 C:\Users\user\...\StartupScript_ae345805.cmd, ASCII 57->66 dropped 100 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 57->100 102 Found suspicious powershell code related to unpacking or dynamic code loading 57->102 file13 signatures14
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/9b0a5807b705aecc86d4f02944944e51045852e915315136a7468cab0124f07b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b0a5807b705aecc86d4f02944944e51045852e915315136a7468cab0124f07b/
Threat name:
Script-WScript.Backdoor.Xworm
Create hunting rule
Status:
Suspicious
First seen:
2025-03-25 05:06:27 UTC
File Type:
Text (VBS)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tmffqb5xawxmzbwu6auujfcokecfquxjcuyvcnvhi2gkwaje6b5q._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
39310dd2eaae889d46e05ad8d231a6da7977e7b47d864ed0b5db0b66b2f57010
XWorm
7b79046511bb3e926c5c91db54dae79c06bc19f7d7cdfcfe6df9627eb257cac7
XWorm
8be80c2c475e56e5cf4352b55d95d859d4816548052309ad41cfd01e86615be7
XWorm
a0426333807dd8de6f38d77aca0fce5ff99e5231c6f5be5398410470dfd2b756
XWorm
a1c97fe85170fd6acd766d965f1931e32692ffa92db222492fd24b4421b126c9
XWorm
df56b2796d6a3dc1cb0dd449bde500ee024aba2cba51aec803f1d14672c2e6ce
XWorm
error
XWorm
+ 2'079 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/250325-hfzfcssvcz/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
freeetradingzone.duckdns.org:3911
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b0a5807b705aecc86d4f02944944e51045852e915315136a7468cab0124f07b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments