MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d88fc6590c4f50373cce292ca245fa77c0a3cecbab48564b8ef70c1051aa0aa6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d88fc6590c4f50373cce292ca245fa77c0a3cecbab48564b8ef70c1051aa0aa6
SHA3-384 hash: 1831afbada5ccfae559e0036f438bf909f2baea7ff1eff8d28c686f0ce729737135824a524ccbfa90b57ff4676d93d22
SHA1 hash: a2b534aa07ebaa3b452a1f4a9b05b6cd1b2c842f
MD5 hash: 4a83206f2fe5b8c48d5fca63c420908c
humanhash: vermont-nitrogen-neptune-delta
File name:TW03GBVSFS0PDHS_001_PDF.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:214'114 bytes
First seen:2022-11-16 18:01:03 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:i5fU56Igx1Ua7fLhwMwQgI5mPZFotzeSx8iamzdtaP1joXGhsS0:yfU0Igx1Ua7fLhwMwrI8PLotzeSx8i7Z
Threatray 63 similar samples on MalwareBazaar
TLSH T1E324F700B7964982A1E6A60B4673F0D4C73F7DD999358E4902DC927C0BEE5A88C5CFF6
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/334985/
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6375259b8d07bb59f81b06f5/reports/f8aed2b0-60a3-4fb8-aa90-f77d760f29c6/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1115129
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 747827 Sample: TW03GBVSFS0PDHS_001_PDF.vbs Startdate: 16/11/2022 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 5 other signatures 2->42 8 wscript.exe 1 2->8         started        11 powershell.exe 15 2->11         started        process3 signatures4 44 VBScript performs obfuscated calls to suspicious functions 8->44 46 Suspicious powershell command line found 8->46 48 Wscript starts Powershell (via cmd or directly) 8->48 13 powershell.exe 14 17 8->13         started        17 powershell.exe 15 11->17         started        19 conhost.exe 1 11->19         started        process5 dnsIp6 34 4.204.233.44, 49697, 80 LEVEL3US United States 13->34 50 Suspicious powershell command line found 13->50 52 Writes to foreign memory regions 13->52 54 Injects a PE file into a foreign processes 13->54 21 RegAsm.exe 2 13->21         started        24 powershell.exe 12 13->24         started        26 conhost.exe 13->26         started        signatures7 process8 dnsIp9 30 medelinemellinger.duckdns.org 103.151.123.121, 49699, 49700, 49701 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN unknown 21->30 32 192.168.2.1 unknown unknown 21->32 28 conhost.exe 24->28         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d88fc6590c4f50373cce292ca245fa77c0a3cecbab48564b8ef70c1051aa0aa6/
Threat name:
Script.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-11-16 18:02:05 UTC
File Type:
Text (VBS)
AV detection:
2 of 40 (5.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ch4mwimj5idopgofewkerp2o7akhtwlvnefms4o64gbaunkbkta._file
Verdict:
malicious
Similar samples:
096e33b9b0b4f843a7ea0259f75b4370f00ab90f3807eb89d5f0117da762900d
XWorm
0cff2bf05a9fe4f1c1953d1c1be3642fe955775a84ea109464fccb4ffb5bba09
XWorm
2c24d359f441614a46f56ce5c94a361cdfd03cd1bf91a99b1183675d6bf362a9
XWorm
5dd7d23ab5fe608da7a2bbb6e63dea48503d191a98a6dfe2427af7ba01d175b8
XWorm
7fc6a365af13150e7b1738129832ebd91f1010705b0ab0955a295e2c7d88be62
XWorm
9d8507a5ce83a0584aaa7c349a1f04e54b0c0d15433c0e54c2c1b74078cd3b2c
XWorm
afc1d8fda05e0a3970030ceaf91c79926441bc1549de9841e43ce36947c6f59a
XWorm
b88cc87476c96511d4da70732e1928471f9d48d25b2c7cc573ad2b2cdf19d3b0
XWorm
de31429e630dc376d96d2f144962593cdda95e25cf4bad28ab2e5fa7c4fea655
XWorm
+ 53 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/221116-wmf49agc4v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://4.204.233.44/Dll/Dll.ppam
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d88fc6590c4f50373cce292ca245fa77c0a3cecbab48564b8ef70c1051aa0aa6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_VBS_Wscript_Shell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Visual Basic Script (vbs) vbs d88fc6590c4f50373cce292ca245fa77c0a3cecbab48564b8ef70c1051aa0aa6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/334985/

Comments