MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d29f57dd228c45a7176306e87d8f670324a6fcda2e42914b6b96e084be455872. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	d29f57dd228c45a7176306e87d8f670324a6fcda2e42914b6b96e084be455872
SHA3-384 hash:	e60dec6d298a6a504ea48d992b03acead20c2bd8ce3ed42e2e23927e46785d35c7606b1e389049d45f3946311ae0a856
SHA1 hash:	150abc01c2349e91690358a797847b8f1fedc799
MD5 hash:	ef4e0179d08bfd9e62439d4a0e6749a6
humanhash:	minnesota-aspen-batman-fix
File name:	reported_account_violation-pdf-88205682.wsf
Download:	download sample
Signature	XWorm Create hunting rule
File size:	7'168 bytes
First seen:	2024-09-24 12:04:04 UTC
Last seen:	Never
File type:
MIME type:	text/html
ssdeep	192:VD+recI3IM06SwfzjpevgBVubrKj7h73Tn2sycaRX:VDCeNT06SwfIgjubu7baRX
Threatray	120 similar samples on MalwareBazaar
TLSH	T1ADE1B533674D33724EA341017A4F69D5D77AC82C27670664BC9C482A9352DD883BBAED
Magika	vba
Reporter	JAMESWT_WT
Tags:	ALBANIAH3CKER-WORK-GD--7000 bitbucket-org--xyz491 wsf xworm

Intelligence

File Origin

# of uploads :

# of downloads :

118

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Script.SNH-gen.15412.4366.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66f2d2c98aca58c2b2c717c2

Tags:

Discovery Execution Network Stealth Obfuscate Gumen Tori Sage

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade powershell

Link:

https://www.filescan.io/uploads/66f2aaf4972cea95645ee6a4/reports/b643da8d-3fb9-40b4-81f3-9c0b3725be2a/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/d29f57dd228c45a7176306e87d8f670324a6fcda2e42914b6b96e084be455872

Result

Verdict:

UNKNOWN

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj.expl.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1516966

Signature

AI detected suspicious sample

Connects to a pastebin service (likely for C&C)

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Sigma detected: Potential PowerShell Command Line Obfuscation

Suricata IDS alerts for network traffic

Suspicious execution chain found

VBScript performs obfuscated calls to suspicious functions

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d29f57dd228c45a7176306e87d8f670324a6fcda2e42914b6b96e084be455872/

Threat name:

Script-WScript.Trojan.XWormRAT

Status:

Malicious

First seen:

2024-09-24 12:11:24 UTC

File Type:

Text

Extracted files:

AV detection:

4 of 38 (10.53%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2kpvpxjcrrc2of3da3uh3d3hamskn7g2fzbjcs3ls3qijpsflbza._file

Verdict:

malicious

Label(s):

xworm

XWorm

5276315df64f106f68ce6d95b14ae9b7b5397c23a49730230307cfa220987e11

XWorm

65003b56f231e2913aed2ce8c6e5311778f03762263c43e10daafbb846d687cf

XWorm

965dbf6ca5e9fdbb154b9db035f4b25caabe86b95f87adc3350811e4b4b22cd3

XWorm

99f06496855853d5dd5c3affa6db7d416a9b2442a96b875855fc8d7041101be2

XWorm

d17e7ac95f9c06c0bce400e305293b2119d0334d40db648d9a3a65a862f5285b

XWorm

+ 110 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm discovery execution rat trojan

Link:

https://tria.ge/reports/240924-saf2yatbjc/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Detect Xworm Payload

Xworm

Malware Config

C2 Extraction:

ALBANIAH3CKER.WORK.GD:7000

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d29f57dd228c45a7176306e87d8f670324a6fcda2e42914b6b96e084be455872

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_Malicious_VBScript_Base64 Create hunting rule
Author:	daniyyell
Description:	Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample