MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd508ca26a1917807c4daba2f960be5243f831ab1119e947349349703254595d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd508ca26a1917807c4daba2f960be5243f831ab1119e947349349703254595d
SHA3-384 hash: 941ddc3554f23e2937c094174f224290d757024415a3e75cbdb18bda2028cee7ed084952d58c4cb0cb06b1516bf5dd4d
SHA1 hash: 2d602c82449021bf7171e00c029a7ba771724847
MD5 hash: 66b79c9590a364c117a66eb87bc493b8
humanhash: coffee-fourteen-may-yankee
File name:Shipping Doc.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:2'734 bytes
First seen:2025-09-04 14:28:22 UTC
Last seen:2025-09-05 09:29:31 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:JyQC1UcUXvYNKWQlTf1GqjuGZMscW/2OUeTkcJ+aFMB3Ff2H2TUlepMf1jukipMg:JOOp7fIixZdnyBJ3TjMEj+B5zTjY
Threatray 1'200 similar samples on MalwareBazaar
TLSH T1485179A9781DC67C0E5391C12CBFEC0DFA7AB986551C647B7858881C001597CA69EBCF
Magika vba
Reporter abuse_ch
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
51
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/25078/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b9a22eeb163e0ec18457f7
Tags:
ransomware shell sage
Verdict:
Malicious
Labled as:
VBS/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/bd508ca26a1917807c4daba2f960be5243f831ab1119e947349349703254595d
Verdict:
Malicious
File Type:
vbs
First seen:
2025-09-04T02:37:00Z UTC
Last seen:
2025-09-04T02:37:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/bd508ca26a1917807c4daba2f960be5243f831ab1119e947349349703254595d/results?tab=lookup
Result
Threat name:
Remcos, PureLog Stealer, XWorm
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1771239
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Remcos
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1771239 Sample: Shipping Doc.vbs Startdate: 04/09/2025 Architecture: WINDOWS Score: 100 64 pastebin.com 2->64 66 geoplugin.net 2->66 68 dpaste.org 2->68 84 Suricata IDS alerts for network traffic 2->84 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 92 19 other signatures 2->92 10 wscript.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 90 Connects to a pastebin service (likely for C&C) 64->90 process4 dnsIp5 94 VBScript performs obfuscated calls to suspicious functions 10->94 96 Suspicious powershell command line found 10->96 98 Wscript starts Powershell (via cmd or directly) 10->98 100 3 other signatures 10->100 16 powershell.exe 12 10->16         started        19 powershell.exe 11 10->19         started        21 powershell.exe 14 16 10->21         started        25 2 other processes 10->25 78 127.0.0.1 unknown unknown 13->78 signatures6 process7 dnsIp8 80 Writes to foreign memory regions 16->80 82 Injects a PE file into a foreign processes 16->82 27 InstallUtil.exe 4 6 16->27         started        31 taskkill.exe 1 16->31         started        45 4 other processes 16->45 33 InstallUtil.exe 19->33         started        35 InstallUtil.exe 19->35         started        37 conhost.exe 19->37         started        70 pastebin.com 172.66.171.73, 443, 49692 CLOUDFLARENETUS United States 21->70 58 C:\Users\user\AppData\Local\...\data_exp.txt, ASCII 21->58 dropped 39 conhost.exe 21->39         started        72 dpaste.org 104.20.36.119, 443, 49693, 49694 CLOUDFLARENETUS United States 25->72 60 C:\Users\user\AppData\Local\Temp\x.txt, ASCII 25->60 dropped 62 C:\Users\user\AppData\Local\Temp\d.txt, ASCII 25->62 dropped 41 conhost.exe 25->41         started        43 conhost.exe 25->43         started        file9 signatures10 process11 dnsIp12 74 216.9.224.34, 2404, 49705, 49707 ATT-INTERNET4US Reserved 27->74 76 geoplugin.net 178.237.33.50, 49706, 80 ATOM86-ASATOM86NL Netherlands 27->76 102 Detected Remcos RAT 27->102 104 Maps a DLL or memory area into another process 27->104 47 InstallUtil.exe 27->47         started        50 InstallUtil.exe 27->50         started        52 InstallUtil.exe 27->52         started        106 Contains functionality to bypass UAC (CMSTPLUA) 33->106 108 Tries to steal Mail credentials (via file registry) 33->108 110 Contains functionalty to change the wallpaper 33->110 112 5 other signatures 33->112 54 MpCmdRun.exe 39->54         started        signatures13 process14 signatures15 114 Tries to steal Instant Messenger accounts or passwords 47->114 116 Tries to steal Mail credentials (via file / registry access) 47->116 118 Tries to harvest and steal browser information (history, passwords, etc) 50->118 56 conhost.exe 54->56         started        process16
Score:
74%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/bd508ca26a1917807c4daba2f960be5243f831ab1119e947349349703254595d
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd508ca26a1917807c4daba2f960be5243f831ab1119e947349349703254595d/
Threat name:
Script-WScript.Backdoor.XWorm
Create hunting rule
Status:
Malicious
First seen:
2025-09-04 14:37:42 UTC
File Type:
Text (VBS)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xviizitkdelya7cnvorpsyf6kjb7qmnlcem6srzusnexamsulfoq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
nirsoft
Create hunting rule
xworm
Create hunting rule
admintool_mailpassview
Create hunting rule
Similar samples:
11d67ce2068437cce35f0b601119ebd071921f536daa8a5afff7c4d03ff1a4bc
XWorm
1a8c4a357230c2b388cb9cc9171ab0bcc37a194fdf99e69e6a42d8e1a3d2652b
XWorm
2c3f31c3ee37440e580e755960537e13511027a95e9539da15c3984a8a20be9f
XWorm
36e0589d6c7fe2ba454673e8ad1becbd09d60838d80f95ba4f7c4cbfa635816c
XWorm
42b3442bc675f7ff95d660935ea8756710fea99551b1d614f2e8b7db739d72a0
XWorm
51a915c8b96fdba9947eb213342bae13ec23863f80cc0926c75a8546d1183eb6
XWorm
548130edd9e2a0fc302a475316a4fbc2a2e2351c4f92f19ba73bfb72d10fe299
XWorm
8ba912704a7e4f686d5f29c0277b52fbfdeb1d1708bab9c6d0e06eb48f8dc539
XWorm
d2a87b1b1a1106b874e949e49a55e7e68202eaa84062c270bbf62481bb769a45
XWorm
error
XWorm
f5147495983f1e0eb0d595bcced8d5fceedfef286909fe6f213760c0742493ac
XWorm
+ 1'190 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion discovery execution rat trojan
Link:
https://tria.ge/reports/250904-rwtdqagr8x/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
through-nearest.gl.at.ply.gg:29739
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bd508ca26a19/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/25078/

Comments