MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a63e7dcefe717a6748bb223c17593b13918677dc82cd06468cd58bc891cd53bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a63e7dcefe717a6748bb223c17593b13918677dc82cd06468cd58bc891cd53bd
SHA3-384 hash: 0477984fe7f6b4a733aa7b3bc601834e317670a5e830b66550a7f679bf6c3be86eb6d1d521ab2ea74baf8ec3cac29749
SHA1 hash: 980b261446a095fe272d0ec95f1b2501fa26e781
MD5 hash: 60d30d1156c957dcbeb72c5abbdc6ce8
humanhash: river-minnesota-princess-oscar
File name:goodthingsarebestbetterwayscomingforu.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:2'230'510 bytes
First seen:2026-06-15 13:27:49 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/csv
ssdeep 96:gmPmPmPmPmPmPmPmPmPmPmPmPmPmPmPmPmPmPmPmPmPmPmPmPmPmPmPmPmPmPmP/:3uwiiZKSK72Dq6N6qDHLvJTvorpssc
Threatray 1'808 similar samples on MalwareBazaar
TLSH T1A8A512013E7A0F36673E3A56E8807A69B53A12D582FBB535D1C533041099D1EA8EF37E
Magika txt
Reporter James_inthe_box
Tags:exe vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
US US
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70800/
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a2ffde934eaf30d8ce6599e
Tags:
malware
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/6a2ffdffbf16337e43c742e4/reports/9fdfca84-088f-4f8f-9ba6-3fd255cb8481/overview
Verdict:
Malicious
Labled as:
Downloader
Link:
https://www.hybrid-analysis.com/sample/a63e7dcefe717a6748bb223c17593b13918677dc82cd06468cd58bc891cd53bd
Verdict:
Malicious
File Type:
VBScript
Detections:
Trojan-Dropper.PowerShell.Agent.aft HEUR:Trojan.Script.Generic HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan-Downloader.PowerShell.Agent.gen Trojan.VBS.SAgent.sb Trojan.Multi.Agent.gen Trojan.JS.SAgent.sb
Link:
https://opentip.kaspersky.com/a63e7dcefe717a6748bb223c17593b13918677dc82cd06468cd58bc891cd53bd/results?tab=lookup
Score:
10%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/a63e7dcefe717a6748bb223c17593b13918677dc82cd06468cd58bc891cd53bd
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a63e7dcefe717a6748bb223c17593b13918677dc82cd06468cd58bc891cd53bd/
Verdict:
Malicious
Threat:
Trojan.PowerShell.Agent
Link:
https://tip.neiki.dev/file/a63e7dcefe717a6748bb223c17593b13918677dc82cd06468cd58bc891cd53bd
Threat name:
Script-WScript.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-15 10:36:10 UTC
File Type:
Binary
AV detection:
4 of 36 (11.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uy7h3tx6of5gosf3ei6bowj3coiym564qlgqmrum2wf4reonko6q._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
429f1c923c752215d19a9c7af23e21521911dddc5ad4d283baac4a9c9b36a3f2
XWorm
8bcb49d7c3bb3d5e54671f4e347f93ef660ee3a9f26795d177c49cef8900e7a7
XWorm
965655a4e816f10f193a93474deaa7c93465e84a44e20dae33e5a699651e77c5
XWorm
e5b2a48b132c284602d5304a46bf5f9a9691cc214cbf78e66ead55c2e6436b48
XWorm
e645f8ae3d43995692c197630e2b9c241d2b9d8dc6d1709a30a7a31c7257a84d
XWorm
error
XWorm
ff98a969bda3fcfae8b6ffb70abb685a66871f759e192f8f3e9f5f866dfb9663
XWorm
+ 1'798 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution rat trojan
Link:
https://tria.ge/reports/260615-qqyktaes3l/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Executes dropped EXE
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Family: Xworm
Process spawned unexpected child process
Malware Config
C2 Extraction:
172.245.106.54:3333
Dropper Extraction:
http://www.basefile.click/optimized_MSIljune.png
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Visual Basic Script (vbs) vbs a63e7dcefe717a6748bb223c17593b13918677dc82cd06468cd58bc891cd53bd

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/70800/
  
URLhaus
https://urlhaus.abuse.ch/url/3865135/
  
Delivery method
Distributed via web download

Comments