MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec86bb0fad6916b5f2ec59b29bbda6212d6feefb2e56f84fa95bbb3b8e13de01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec86bb0fad6916b5f2ec59b29bbda6212d6feefb2e56f84fa95bbb3b8e13de01
SHA3-384 hash: 7201ff8068f0f2dcf00eeb0871324159afd84e31eb2707c29b7383be4fd127934235dec7f4b221f118b395b660afcbc8
SHA1 hash: 060ca8facf4330b85e21c6043ca34beb50829c70
MD5 hash: 937b524875305e99670cabe8dea955ee
humanhash: river-glucose-neptune-december
File name:payload_1.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:65'165 bytes
First seen:2025-06-24 06:46:19 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:+ZPguRPSdU22frhc6OANAHWR4VrbBAt2Vk0Y7cGVDN6Jm900gdveuHTrjdt6Z:+tguAdUO67qHdBSaT6Z
Threatray 1'803 similar samples on MalwareBazaar
TLSH T19E539D12FD4B3C0C87AC35AB10CE5ED92A2D73DA11A009DE612FD6889EF983595D91CF
Magika vba
Reporter smica83
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10846/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685a49c4b06783b9ebd6cd0d
Tags:
obfuscate shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive obfuscated obfuscated powershell timeout
Link:
https://www.filescan.io/uploads/685a4a00cf2af15711164224/reports/386ce889-fba6-41ba-84bd-fdf2b49a8912/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ec86bb0fad6916b5f2ec59b29bbda6212d6feefb2e56f84fa95bbb3b8e13de01
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1721648
Signature
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Potential malicious VBS script found (suspicious strings)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious Eventlog Clear or Configuration Change
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1721648 Sample: payload_1.vbs Startdate: 24/06/2025 Architecture: WINDOWS Score: 100 59 businesstradings.duckdns.org 2->59 69 Suricata IDS alerts for network traffic 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Yara detected Powershell decode and execute 2->73 77 10 other signatures 2->77 11 wscript.exe 2 2->11         started        14 svchost.exe 1 1 2->14         started        signatures3 75 Uses dynamic DNS services 59->75 process4 dnsIp5 83 VBScript performs obfuscated calls to suspicious functions 11->83 85 Wscript starts Powershell (via cmd or directly) 11->85 87 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->87 89 Suspicious execution chain found 11->89 17 cmd.exe 1 11->17         started        63 127.0.0.1 unknown unknown 14->63 signatures6 process7 signatures8 65 Wscript starts Powershell (via cmd or directly) 17->65 67 Suspicious command line found 17->67 20 cmd.exe 1 17->20         started        23 conhost.exe 17->23         started        process9 signatures10 79 Wscript starts Powershell (via cmd or directly) 20->79 81 Suspicious command line found 20->81 25 powershell.exe 3 50 20->25         started        30 conhost.exe 20->30         started        32 timeout.exe 1 20->32         started        34 cmd.exe 1 20->34         started        process11 dnsIp12 61 businesstradings.duckdns.org 185.167.61.11, 3033, 49686 INETLTDTR Turkey 25->61 53 \Device\ConDrv, ASCII 25->53 dropped 55 C:\Users\user\AppData\...\tmp7EA2.tmp.bat, DOS 25->55 dropped 57 C:\Users\user\AppData\...\cvmlh1ie.cmdline, Unicode 25->57 dropped 91 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->91 93 Suspicious powershell command line found 25->93 95 Found suspicious powershell code related to unpacking or dynamic code loading 25->95 97 Loading BitLocker PowerShell Module 25->97 36 csc.exe 3 25->36         started        39 cmd.exe 1 25->39         started        41 powershell.exe 28 25->41         started        43 7 other processes 25->43 file13 signatures14 process15 file16 51 C:\Users\user\AppData\Local\...\cvmlh1ie.dll, PE32 36->51 dropped 45 cvtres.exe 1 36->45         started        47 conhost.exe 39->47         started        49 timeout.exe 1 39->49         started        process17
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ec86bb0fad6916b5f2ec59b29bbda6212d6feefb2e56f84fa95bbb3b8e13de01
Verdict:
Malware
YARA:
1 match(es)
Tags:
DeObfuscated Obfuscated Scripting.FileSystemObject Shell.Application T1059.005 VBScript
Link:
https://app.malva.re/file/937b524875305e99670cabe8dea955ee
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec86bb0fad6916b5f2ec59b29bbda6212d6feefb2e56f84fa95bbb3b8e13de01/
Threat name:
Script-WScript.Backdoor.Xworm
Create hunting rule
Status:
Suspicious
First seen:
2025-06-24 01:00:04 UTC
File Type:
Text (HTML)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5sdlwd5nnelll4xmlgzjxpngeeww73x3fzlpqt5jlo5txdqt3yaq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
0ab149edd126d249c172864346f45dbcfa0ddee02015b6e44a121e6adbd5bd31
XWorm
4c3c7c82fef77195b527cac193188f01065d38da118efdd8d51d8fb53f5af87e
XWorm
792754b8f83fc54cb4f36b0aef98b787d13c76b12a83e765f380d6d8f421abcb
XWorm
839ac710d88eef9e5eaaa68183cd2f5fec297b7094263582d3e5441cf396db50
XWorm
a88faac5c77bb82c70e4aea71d3dffc333540cc05bdb18c5d21b1f9c5b258bc0
XWorm
a90c46b549a798b086e2ef3ee17728c7456cdf3730b25f50500143e3a56de1f8
XWorm
cabe7c8088610b32f234f920fdfc9c0ba3c64301e1cb3bd443f400b9998ba50f
XWorm
e9711aa0601544265b4f9c24442069c4edcd331af55798ca2e4a4d25532ddfd8
XWorm
error
XWorm
f0c6530004391cf1d41fb844ddfc26736baf935a52525f029d42c3dd0f6ec315
XWorm
+ 1'793 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion execution ransomware rat trojan
Link:
https://tria.ge/reports/250624-hjvataxrx7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Clears Windows event logs
Detect Xworm Payload
Xworm
Xworm family
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ec86bb0fad69/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec86bb0fad6916b5f2ec59b29bbda6212d6feefb2e56f84fa95bbb3b8e13de01

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/10846/

Comments