MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5a2fd9c057765f6eb2bde2cc86317b53d8418117c9e1362596e067b44ea7d04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5a2fd9c057765f6eb2bde2cc86317b53d8418117c9e1362596e067b44ea7d04
SHA3-384 hash: 83245b457c4e4935a7f823384bdb0eecca60d23100710bdb213deddcdb5cf078844bba4e616a7f6595d57c65d69c1bbf
SHA1 hash: b2990e0c9f9549b1f8cc3dceec47663b975cbb36
MD5 hash: 22d736ac0bfacea4d23dbaf9412d329a
humanhash: uniform-eight-cat-nitrogen
File name:receipt.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:4'988 bytes
First seen:2024-04-05 11:17:38 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:LQUUjcFSoSqUnPkPKOTK6yjbo+yHQUJ8fLGZ2k7:dYcFh5UsPKOTJcoLMw2k7
TLSH T1DDA16F5687FA4104F2F35A4C993226795B777A1A683DC20C05EC3D1E1FF3A8498267B7
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter adrian__luca
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
nemucod virus
Link:
https://www.filescan.io/uploads/660fddf0d463a7b0478116a7/reports/4f19ad6f-68eb-4e65-96d0-be255bc24e53/overview
Verdict:
Suspicious
Labled as:
VBS/Agent.BKF.gen
Link:
https://www.hybrid-analysis.com/sample/c5a2fd9c057765f6eb2bde2cc86317b53d8418117c9e1362596e067b44ea7d04
Result
Verdict:
MALICIOUS
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1420803
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Powershell is started from unusual location (likely to bypass HIPS)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Renames powershell.exe to bypass HIPS
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Executable File Creation
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1420803 Sample: receipt.vbs Startdate: 05/04/2024 Architecture: WINDOWS Score: 100 108 pastebin.com 2->108 110 paste.ee 2->110 112 2 other IPs or domains 2->112 126 Snort IDS alert for network traffic 2->126 128 Multi AV Scanner detection for domain / URL 2->128 130 Found malware configuration 2->130 134 20 other signatures 2->134 14 wscript.exe 14 2->14         started        18 cmd.exe 2->18         started        20 cmd.exe 2->20         started        22 2 other processes 2->22 signatures3 132 Connects to a pastebin service (likely for C&C) 110->132 process4 dnsIp5 122 paste.ee 104.21.84.67, 443, 49699 CLOUDFLARENETUS United States 14->122 162 System process connects to network (likely due to code injection or exploit) 14->162 164 VBScript performs obfuscated calls to suspicious functions 14->164 166 Suspicious powershell command line found 14->166 168 5 other signatures 14->168 24 powershell.exe 7 14->24         started        27 cmd.exe 18->27         started        30 conhost.exe 18->30         started        32 cmd.exe 20->32         started        34 conhost.exe 20->34         started        36 cmd.exe 22->36         started        38 conhost.exe 22->38         started        40 conhost.exe 22->40         started        signatures6 process7 file8 144 Suspicious powershell command line found 24->144 146 Found suspicious powershell code related to unpacking or dynamic code loading 24->146 42 powershell.exe 14 15 24->42         started        46 conhost.exe 24->46         started        104 C:\Users\user\AppData\...\wjcbdv.bat.exe, PE32+ 27->104 dropped 148 Renames powershell.exe to bypass HIPS 27->148 48 wjcbdv.bat.exe 27->48         started        50 conhost.exe 27->50         started        52 wjcbdv.bat.exe 32->52         started        54 conhost.exe 32->54         started        56 wjcbdv.bat.exe 36->56         started        58 conhost.exe 36->58         started        signatures9 process10 dnsIp11 114 uploaddeimagens.com.br 104.21.45.138, 443, 49700, 49701 CLOUDFLARENETUS United States 42->114 116 cdn.discordapp.com 162.159.130.233, 443, 49702 CLOUDFLARENETUS United States 42->116 150 Writes to foreign memory regions 42->150 152 Injects a PE file into a foreign processes 42->152 60 AddInProcess32.exe 15 4 42->60         started        64 AddInProcess32.exe 42->64         started        154 Powershell is started from unusual location (likely to bypass HIPS) 48->154 156 Reads the Security eventlog 48->156 158 Reads the System eventlog 48->158 160 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 48->160 67 powershell.exe 48->67         started        69 powershell.exe 52->69         started        71 powershell.exe 56->71         started        signatures12 process13 dnsIp14 118 91.92.249.142, 49704, 49713, 8989 THEZONEBG Bulgaria 60->118 120 pastebin.com 104.20.68.143, 443, 49703, 49712 CLOUDFLARENETUS United States 60->120 106 C:\Users\user\AppData\Local\Temp\wjcbdv.bat, DOS 60->106 dropped 73 cmd.exe 1 60->73         started        124 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 64->124 75 conhost.exe 67->75         started        77 conhost.exe 69->77         started        79 conhost.exe 71->79         started        file15 signatures16 process17 process18 81 cmd.exe 2 73->81         started        84 conhost.exe 73->84         started        file19 100 C:\Users\user\AppData\...\wjcbdv.bat.exe, PE32 81->100 dropped 86 wjcbdv.bat.exe 15 22 81->86         started        90 conhost.exe 81->90         started        process20 file21 102 C:\Users\user\AppData\Roaming\wjcbdv.bat, DOS 86->102 dropped 136 Uses schtasks.exe or at.exe to add and modify task schedules 86->136 138 Powershell is started from unusual location (likely to bypass HIPS) 86->138 140 Reads the Security eventlog 86->140 142 Reads the System eventlog 86->142 92 powershell.exe 86->92         started        94 schtasks.exe 86->94         started        signatures22 process23 process24 96 conhost.exe 92->96         started        98 conhost.exe 94->98         started       
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/c5a2fd9c057765f6eb2bde2cc86317b53d8418117c9e1362596e067b44ea7d04
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5a2fd9c057765f6eb2bde2cc86317b53d8418117c9e1362596e067b44ea7d04/
Threat name:
Script-WScript.Backdoor.Xworm
Create hunting rule
Status:
Suspicious
First seen:
2024-04-05 11:18:04 UTC
File Type:
Text (VBS)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ywrp3hafo5s7n2zl3ywmqyyxwu6yigarpspbgysznydhwrhkpuca._file
Verdict:
malicious
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm persistence rat trojan
Link:
https://tria.ge/reports/240405-nd9q7sah76/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Executes dropped EXE
Blocklisted process makes network request
Detect Xworm Payload
Xworm
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5a2fd9c057765f6eb2bde2cc86317b53d8418117c9e1362596e067b44ea7d04

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Visual Basic Script (vbs) vbs c5a2fd9c057765f6eb2bde2cc86317b53d8418117c9e1362596e067b44ea7d04

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments