MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad6e95aef11205d3316d246a22541618d8dfa344f2a13208af09f2c542260e24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Metasploit

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	ad6e95aef11205d3316d246a22541618d8dfa344f2a13208af09f2c542260e24
SHA3-384 hash:	2dba158172aae6deafdd75fc46dbf2b69804f73eb34486d3e4dcca00c0f68646f1f9bf1199ab90a89cc8ca53a0972ae4
SHA1 hash:	749fc037702e6dd840b6e927856e933d2292c8c6
MD5 hash:	d6d2774f2652911f79c0f6fa94020638
humanhash:	sodium-jig-michigan-three
File name:	TS-240402-17-XWorm-749fc0.ps1
Download:	download sample
Signature	Metasploit Create hunting rule
File size:	25'964'964 bytes
First seen:	2024-04-03 11:38:38 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	49152:h3qXqynxhOaNH6GUnvLn9DT25vj3rREpM65U90qgekZ55ZsfrJQLUcEiDuEPVOhA:L
TLSH	T1D047AE60BF945AF9EF8D1E0E906AAF1CC7F042172D32706BFA515F05B9DA146810B26F
Reporter	likeastar20
Tags:	Metasploit ps1

Intelligence

File Origin

# of uploads :

# of downloads :

154

Origin country :

Vendor Threat Intelligence

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/ad6e95aef11205d3316d246a22541618d8dfa344f2a13208af09f2c542260e24

Result

Verdict:

MALICIOUS

Result

Threat name:

Metasploit, XWorm

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1419302

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus detection for URL or domain

Contains functionality to log keystrokes (.Net Source)

Early bird code injection technique detected

Found suspicious powershell code related to unpacking or dynamic code loading

Hijacks the control flow in another process

Malicious sample detected (through community Yara rule)

Queues an APC in another process (thread injection)

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Yara detected MetasploitPayload

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/ad6e95aef11205d3316d246a22541618d8dfa344f2a13208af09f2c542260e24

Gathering data

Threat name:

Script.Trojan.Malgent

Status:

Malicious

First seen:

2024-04-02 16:26:56 UTC

File Type:

Text (PowerShell)

AV detection:

5 of 24 (20.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vvxjllxrcic5gmlnervcevawddmn7i2e6kqtecfpbhzmkqrgbysa._file

Verdict:

unknown

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm rat trojan

Link:

https://tria.ge/reports/240403-nsawesda95/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops startup file

Detect Xworm Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Xworm

Malware Config

C2 Extraction:

freshinxworm.ddns.net:7000

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ad6e95aef11205d3316d246a22541618d8dfa344f2a13208af09f2c542260e24

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample