MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a19a8e6782f0008c3b10276c764962f6f27b27754d826f8d3679ef15bea122d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a19a8e6782f0008c3b10276c764962f6f27b27754d826f8d3679ef15bea122d5
SHA3-384 hash: 64cecae0a304615fcf6990f1f9b24916ed5b253852c53f02e4a36e37cc39cd27ef0b30e1347f0742b562268c4377f37b
SHA1 hash: 1c559cdce2d6502813e2caf6af4e161b5823ec04
MD5 hash: e2f029c7d8548b4d69907facd22a785a
humanhash: connecticut-snake-winner-high
File name:Invoice_7729839_PDF.lnk
Download: download sample
Signature XWorm
Create hunting rule
File size:1'817 bytes
First seen:2023-07-21 06:25:24 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 24:8G912CXJiwgWUOKJWnAArWWbS0b0HS0VS0bn7E58ySBCj+7S7vJQvMEETtVQsy:8G90WJ2WFXRSrS+SQ7QSB7gvJgdsy
TLSH T1FA31231117B5E326F1B34F7148B27272DB2BB582FB00479E2114462E4C61F18D9B5F1B
Reporter abuse_ch
Tags:lnk xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Agent.GFQV.5575.9778.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/a19a8e6782f0008c3b10276c764962f6f27b27754d826f8d3679ef15bea122d5/results/dashboard
Behaviour
BlacklistAPI detected
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/a19a8e6782f0008c3b10276c764962f6f27b27754d826f8d3679ef15bea122d5
Result
Verdict:
MALICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277233
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with a suspicious file extension
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Opens network shares
Potential malicious VBS script found (suspicious strings)
Renames powershell.exe to bypass HIPS
Windows shortcut file (LNK) starts blacklisted processes
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1277233 Sample: Invoice_7729839_PDF.lnk Startdate: 21/07/2023 Architecture: WINDOWS Score: 100 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Windows shortcut file (LNK) starts blacklisted processes 2->76 78 4 other signatures 2->78 13 powershell.exe 30 2->13         started        17 wscript.exe 1 2->17         started        process3 file4 66 C:\Users\user\Desktop\sh.bat, DOS 13->66 dropped 94 Windows shortcut file (LNK) starts blacklisted processes 13->94 96 Opens network shares 13->96 19 cmd.exe 1 13->19         started        22 conhost.exe 1 13->22         started        signatures5 process6 signatures7 80 Windows shortcut file (LNK) starts blacklisted processes 19->80 82 Drops PE files with a suspicious file extension 19->82 24 cmd.exe 19->24         started        28 conhost.exe 19->28         started        84 Opens network shares 22->84 process8 file9 64 C:\Users\user\Desktop\sh.bat.scr, PE32+ 24->64 dropped 92 Renames powershell.exe to bypass HIPS 24->92 30 sh.bat.scr 3 17 24->30         started        34 conhost.exe 24->34         started        signatures10 process11 file12 70 C:\Users\user\AppData\...\hDbJVbiqOn.cmd, DOS 30->70 dropped 100 Windows shortcut file (LNK) starts blacklisted processes 30->100 102 Potential malicious VBS script found (suspicious strings) 30->102 104 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 30->104 36 wscript.exe 30->36         started        39 powershell.exe 30->39         started        41 powershell.exe 30->41         started        43 powershell.exe 30->43         started        signatures13 process14 signatures15 86 Windows shortcut file (LNK) starts blacklisted processes 36->86 45 cmd.exe 36->45         started        49 conhost.exe 39->49         started        51 conhost.exe 41->51         started        process16 file17 68 C:\Users\user\AppData\...\hDbJVbiqOn.cmd.scr, PE32+ 45->68 dropped 98 Renames powershell.exe to bypass HIPS 45->98 53 hDbJVbiqOn.cmd.scr 14 45->53         started        56 conhost.exe 45->56         started        signatures18 process19 signatures20 88 Windows shortcut file (LNK) starts blacklisted processes 53->88 90 Installs a global keyboard hook 53->90 58 powershell.exe 53->58         started        60 powershell.exe 53->60         started        process21 process22 62 conhost.exe 58->62         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a19a8e6782f0008c3b10276c764962f6f27b27754d826f8d3679ef15bea122d5/
Threat name:
Shortcut.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-21 06:26:10 UTC
File Type:
Binary
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ugni4z4c6aaiyoyqe5whmslc63zhwj3vjwbg7djwphxrlpvbelkq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230721-g68ahscc87/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a19a8e6782f0008c3b10276c764962f6f27b27754d826f8d3679ef15bea122d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Shortcut (lnk) lnk a19a8e6782f0008c3b10276c764962f6f27b27754d826f8d3679ef15bea122d5

(this sample)

XWorm

Batch (bat) bat 9587ef7ba7dfe745e4c98f724110382b7b53f5f7781d1d3fcfc910abacb3fbb8

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 9587ef7ba7dfe745e4c98f724110382b7b53f5f7781d1d3fcfc910abacb3fbb8
  
Dropping
MD5 dd4468bffd868b37633b79934e65fbef

Comments