MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae38e2fa3a600fa50aee8e81e87d4c8d3c563f50b58aa2bf4ce3e99af2624a68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae38e2fa3a600fa50aee8e81e87d4c8d3c563f50b58aa2bf4ce3e99af2624a68
SHA3-384 hash: be173fb9c65a74577dd5e47aca5ba1146145b4aa7c1c57d8f1cff0b3197cafd92343b253cecdac5be3cb966eafe1da53
SHA1 hash: bb3ddcf1e71313ba6de7c41e642f7dbe53cc33ae
MD5 hash: 63e69822e38964ae33ae125f7614d1b4
humanhash: low-salami-coffee-jupiter
File name:Maersk_Bl_copy_awb_parkinglist_commerical_Inv_documents_21_01_2026_00000000000000000000000000000000000000000000000000000_pdf.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:17'647 bytes
First seen:2026-01-22 11:45:45 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:KIWZhQ8KJwtedzwVRDCkODZVubMn/sQs9sGYtdShnPG4uNOJQNSoBF7El4HvcnIc:K9ZhZe0DKlO+hqyZXr4l4yCcN
Threatray 687 similar samples on MalwareBazaar
TLSH T18B82F9268A18FFF0092E72512A4F6C2954220B119A34364D7A8FEDED3B3A571DFC14E9
Magika vba
Reporter lowmal3
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49722/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69720e00f3cf908ba507498f
Tags:
xtreme shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 masquerade obfuscated obfuscated powershell
Link:
https://www.filescan.io/uploads/69720e08a9d5ec2c54cf6b70/reports/71c4ef56-1921-4b0a-b255-278e6f5290b4/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ae38e2fa3a600fa50aee8e81e87d4c8d3c563f50b58aa2bf4ce3e99af2624a68
Verdict:
Malicious
File Type:
vbs
First seen:
2026-01-22T08:06:00Z UTC
Last seen:
2026-01-24T10:27:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic HEUR:Trojan.Multi.Stego.gen PDM:Trojan.Win32.Generic Trojan-Downloader.PowerShell.NanoShield.sb Trojan.JS.SAgent.sb
Link:
https://opentip.kaspersky.com/ae38e2fa3a600fa50aee8e81e87d4c8d3c563f50b58aa2bf4ce3e99af2624a68/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1855675
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1855675 Sample: st_commerical_Inv_documents... Startdate: 22/01/2026 Architecture: WINDOWS Score: 100 55 xxblessing2026now.duckdns.org 2->55 57 keyauth.win 2->57 59 habibjee.store 2->59 69 Suricata IDS alerts for network traffic 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 77 16 other signatures 2->77 10 wscript.exe 1 2->10         started        13 svchost.exe 2->13         started        15 svchost.exe 2 2->15         started        17 3 other processes 2->17 signatures3 75 Uses dynamic DNS services 55->75 process4 signatures5 87 VBScript performs obfuscated calls to suspicious functions 10->87 89 Suspicious powershell command line found 10->89 91 Wscript starts Powershell (via cmd or directly) 10->91 95 2 other signatures 10->95 19 powershell.exe 14 24 10->19         started        93 Changes security center settings (notifications, updates, antivirus, firewall) 13->93 24 MpCmdRun.exe 1 13->24         started        26 conhost.exe 15->26         started        28 conhost.exe 17->28         started        process6 dnsIp7 61 habibjee.store 172.67.167.137, 443, 49728 CLOUDFLARENETUS United States 19->61 49 C:\Users\user\AppData\...\l1tydfsj.cmdline, Unicode 19->49 dropped 79 Writes to foreign memory regions 19->79 81 Modifies the context of a thread in another process (thread injection) 19->81 83 Suspicious execution chain found 19->83 85 Injects a PE file into a foreign processes 19->85 30 RegAsm.exe 2 7 19->30         started        35 csc.exe 3 19->35         started        37 conhost.exe 19->37         started        39 conhost.exe 24->39         started        file8 signatures9 process10 dnsIp11 63 xxblessing2026now.duckdns.org 185.167.61.11, 3025, 49729, 49730 INETLTDTR Turkey 30->63 51 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 30->51 dropped 65 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->65 67 Drops PE files with benign system names 30->67 41 cmd.exe 1 30->41         started        53 C:\Users\user\AppData\Local\...\l1tydfsj.dll, PE32 35->53 dropped 43 cvtres.exe 1 35->43         started        file12 signatures13 process14 process15 45 conhost.exe 41->45         started        47 timeout.exe 1 41->47         started       
Score:
95%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ae38e2fa3a600fa50aee8e81e87d4c8d3c563f50b58aa2bf4ce3e99af2624a68
Verdict:
inconclusive
YARA:
1 match(es)
Link:
https://app.malva.re/file/63e69822e38964ae33ae125f7614d1b4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae38e2fa3a600fa50aee8e81e87d4c8d3c563f50b58aa2bf4ce3e99af2624a68/
Verdict:
Malicious
Threat:
Trojan-Downloader.PowerShell.NanoShield
Link:
https://tip.neiki.dev/file/ae38e2fa3a600fa50aee8e81e87d4c8d3c563f50b58aa2bf4ce3e99af2624a68
Threat name:
Script-WScript.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2026-01-22 11:46:25 UTC
File Type:
Text (VBS)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vy4of6r2mah2kcxor2a6q7kmru6fmp2qwwfkfp2m4puzv4tcjjua._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
15a9f29aaba59940714e92ef77712542ddb68ceb2f82f62ee85e30956ec23929
XWorm
3716c515929ba48afbc09a0f97ea788c69c47f6037a2b203f1c165faff10f78c
XWorm
3768c32a3502eb25fc0b0198ceb5953635d6def683ce281bb8289b01f656e5b4
XWorm
5368ee78ec544ea4b93c7e7cf85ca44329b2f3931d8f93194be18866052c5731
XWorm
75e50384053e487d49bae8f857fd39af0179c293496f0312072dbaf9af9c085c
XWorm
ab582206dc5682e528a6b1b5457661e5292acfb0a5a3aa4a2bd81f22cb3a1c73
XWorm
bc6edff1b1148a9ad6a3aa8db0371d55ac57c8307ed841fc8e8030bdf4bed7ab
XWorm
cf47a12ab207f39bb11672dc366839a72b61ee81d0870edffa2c3c5c058a0e0e
XWorm
error
XWorm
+ 677 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion execution persistence rat trojan
Link:
https://tria.ge/reports/260122-nxm2jsd19b/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Badlisted process makes network request
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
xxblessing2026now.duckdns.org:3025
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae38e2fa3a600fa50aee8e81e87d4c8d3c563f50b58aa2bf4ce3e99af2624a68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Visual Basic Script (vbs) vbs ae38e2fa3a600fa50aee8e81e87d4c8d3c563f50b58aa2bf4ce3e99af2624a68

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/49722/

Comments