MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3b6ec7c083b42ee8fc740390176c8946d4e1334eb6309f3b52119db1107948c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3b6ec7c083b42ee8fc740390176c8946d4e1334eb6309f3b52119db1107948c
SHA3-384 hash: b421c4c52573c83b74ec64c2ab0c006dec6d55ac66ed979fadfdbd6a5f1d60da6588bbceead6b92a49b4a41b65051832
SHA1 hash: d9d1bc0756a34b7eca60bb9ec3f4f7aa50958b42
MD5 hash: f6c22772cbf9d609d7ea7ece081ae7fd
humanhash: lion-bravo-lamp-hamper
File name:z22output_1762289360.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:238'297 bytes
First seen:2025-11-05 01:01:14 UTC
Last seen:2025-11-05 15:24:42 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:AW69f/Ape/AOawp7J4/LAfYKtL4lWfFeobfBWSI4Ez/RM6VYvuH0COc:HeWSftY
Threatray 1'454 similar samples on MalwareBazaar
TLSH T167344A35F510AB7F1A13286271721F7B03EA394F5BA33A379586C5282E109245BEF1DB
Magika vba
Reporter FXOLabs
Tags:Spam-ITA vbs xworm

Intelligence

File Origin
# of uploads :
10
# of downloads :
87
Origin country :
BR BR
Vendor Threat Intelligence
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/35378/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690aa2159942f1282ecc2925
Tags:
obfuscate xtreme shell
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c3b6ec7c083b42ee8fc740390176c8946d4e1334eb6309f3b52119db1107948c
Verdict:
Malicious
File Type:
vbs
First seen:
2025-11-04T19:42:00Z UTC
Last seen:
2025-11-06T23:24:00Z UTC
Hits:
~10000
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan.VBS.SAgent.gen HEUR:Trojan.Script.Generic HEUR:Trojan.PowerShell.Tesre.sb Backdoor.Agent.TCP.C&C Trojan-Downloader.JS.Cryptoload.sb HEUR:Trojan-Downloader.Script.Generic
Link:
https://opentip.kaspersky.com/c3b6ec7c083b42ee8fc740390176c8946d4e1334eb6309f3b52119db1107948c/results?tab=lookup
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c3b6ec7c083b42ee8fc740390176c8946d4e1334eb6309f3b52119db1107948c
Verdict:
Malware
YARA:
1 match(es)
Tags:
Scripting.FileSystemObject VBScript
Link:
https://app.malva.re/file/f6c22772cbf9d609d7ea7ece081ae7fd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3b6ec7c083b42ee8fc740390176c8946d4e1334eb6309f3b52119db1107948c/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/c3b6ec7c083b42ee8fc740390176c8946d4e1334eb6309f3b52119db1107948c
Threat name:
Script-WScript.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-11-05 00:49:31 UTC
File Type:
Text (VBS)
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yo3oy7aihnbo5d6hia4qc5wisrwu4ezu5nrqt45veem5weihssga._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
04eab74442a7d796cba33e67f33eb7be341b5ccbba8256ca4b8a818fdbb845f9
XWorm
0578ce8d2d10a710e7ccbc33fef0ac605153a5928eef55725eb7bedeb5479518
XWorm
0ce5de7146c59f9099f87a64d66ac69208cca062e36a7bc465185dd1d89bd368
XWorm
1c2e2245e276dadaf6ee7cdf6a16be8308587026c63ede136ad25ec3dfa96cf7
XWorm
383af49b39cab5da29cff6c729ee08eddf62380553315266fd0e3b1dfc0e552c
XWorm
443c070f1d20b0821daf3107e55bf5e6efbb8d0f86e5806c76d597e43ea11be1
XWorm
4a980e38257b9dbf0e1ff47c3faef90d62e2fcdb663fa1421735f7ace6394a56
XWorm
9fbdb7c445322d877ad9584cd6e346c958bfd676f2001b1d35a5793e647fdd33
XWorm
bbd166e6d916f328c29a4e19a4cb2f686c447b197eb7291def515bc3a63fdda7
XWorm
e4bfc7c97b4bdc47c62afe4aab320a54e769d426b3998f7e86b3337d01a3c679
XWorm
error
XWorm
+ 1'444 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/251105-bdnshs1lgq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Badlisted process makes network request
Detect Xworm Payload
Process spawned unexpected child process
Xworm
Xworm family
Malware Config
C2 Extraction:
31.40.204.73:1414
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c3b6ec7c083b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3b6ec7c083b42ee8fc740390176c8946d4e1334eb6309f3b52119db1107948c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Visual Basic Script (vbs) vbs c3b6ec7c083b42ee8fc740390176c8946d4e1334eb6309f3b52119db1107948c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35378/

Comments