MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecb6c26329c5aa711c857bb37431b6d5037b0d28818af4c033c78231d007bb40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ecb6c26329c5aa711c857bb37431b6d5037b0d28818af4c033c78231d007bb40
SHA3-384 hash: 0b0c880ae74c7b3e452a27c144ec6b48d65f61cafc3a9e9aad692e225c5408f136fe46162af296bb3529490f3db1c5d9
SHA1 hash: 68f51e9d3cd69b014a18a5d78f076851aee00850
MD5 hash: a2907290e94d10d566afaad71f0a77d2
humanhash: social-lemon-illinois-johnny
File name:XClient.vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:68'181 bytes
First seen:2025-03-20 00:55:08 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:T5XTgt1ZkbmEKUgXEXzICKUnF8rCB5g6R4RCUW629w:NTgtsHf2rCB5deCUQw
Threatray 1'606 similar samples on MalwareBazaar
TLSH T18263A5BDCBA2ADD8136B70E122AC3B56107CCB53E528577DFDDA58381D707049BB9089
Magika vba
Reporter Anonymous
Tags:captcha ps1 vbs worm xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.27688.25938.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67db6772115e7b48b48ee55c
Tags:
infosteal obfuscate obfusc sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated obfuscated
Link:
https://www.filescan.io/uploads/67db6774605ea86de781b969/reports/54c1962a-145c-4e4c-bc12-9c0e2674666e/overview
Verdict:
Malicious
Labled as:
VBS/TrojanDropper.Agent
Link:
https://www.hybrid-analysis.com/sample/ecb6c26329c5aa711c857bb37431b6d5037b0d28818af4c033c78231d007bb40
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Result
Threat name:
Batch Injector, XWorm
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1643709
Signature
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses shutdown.exe to shutdown or reboot the system
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Batch Injector
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1643709 Sample: XClient.vbs Startdate: 20/03/2025 Architecture: WINDOWS Score: 100 84 ax-0003.ax-msedge.net 2->84 86 api.msn.com 2->86 88 2 other IPs or domains 2->88 92 Suricata IDS alerts for network traffic 2->92 94 Found malware configuration 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 19 other signatures 2->98 11 wscript.exe 2 2->11         started        15 cmd.exe 1 2->15         started        17 cmd.exe 1 2->17         started        19 17 other processes 2->19 signatures3 process4 file5 80 C:\Users\user\AppData\Local\...\WordDoc.bat, ASCII 11->80 dropped 110 VBScript performs obfuscated calls to suspicious functions 11->110 112 Wscript starts Powershell (via cmd or directly) 11->112 114 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->114 116 Suspicious execution chain found 11->116 21 cmd.exe 1 11->21         started        24 cmd.exe 1 15->24         started        26 conhost.exe 15->26         started        28 cmd.exe 1 17->28         started        30 conhost.exe 17->30         started        32 cmd.exe 1 19->32         started        34 cmd.exe 1 19->34         started        36 cmd.exe 19->36         started        38 9 other processes 19->38 signatures6 process7 signatures8 100 Suspicious powershell command line found 21->100 102 Wscript starts Powershell (via cmd or directly) 21->102 104 Bypasses PowerShell execution policy 21->104 40 cmd.exe 2 21->40         started        43 conhost.exe 21->43         started        45 conhost.exe 24->45         started        47 powershell.exe 24->47         started        49 2 other processes 28->49 51 2 other processes 32->51 53 2 other processes 34->53 55 2 other processes 36->55 57 6 other processes 38->57 process9 signatures10 106 Suspicious powershell command line found 40->106 108 Wscript starts Powershell (via cmd or directly) 40->108 59 powershell.exe 1 17 40->59         started        64 conhost.exe 40->64         started        process11 dnsIp12 90 45.138.16.211, 49715, 49725, 49727 SPECTRAIPSpectraIPBVNL Netherlands 59->90 82 C:\Users\user\...\StartupScript_a8df0b67.cmd, ASCII 59->82 dropped 118 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 59->118 120 Suspicious powershell command line found 59->120 122 Uses shutdown.exe to shutdown or reboot the system 59->122 124 Found suspicious powershell code related to unpacking or dynamic code loading 59->124 66 winlogon.exe 59->66         started        68 shutdown.exe 1 59->68         started        70 shutdown.exe 59->70         started        72 3 other processes 59->72 file13 signatures14 process15 process16 74 fontdrvhost.exe 66->74         started        76 LogonUI.exe 66->76         started        78 dwm.exe 66->78         started       
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ecb6c26329c5aa711c857bb37431b6d5037b0d28818af4c033c78231d007bb40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ecb6c26329c5aa711c857bb37431b6d5037b0d28818af4c033c78231d007bb40/
Threat name:
Script-WScript.Backdoor.XWorm
Create hunting rule
Status:
Malicious
First seen:
2025-03-20 00:55:12 UTC
File Type:
Text (VBS)
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5s3meyzjywvhchefpozximnw2ubxwdjiqgfpjqbty6bdduahxnaa._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
325a12d12fec73e302307abc5572574fde2a502d1241af65ecef57b0c8502e4d
XWorm
56f304f2e560f09da015a9f0744e3a0825f420e092ebf7d4605b81b56054bba5
XWorm
7a5e7ffe03839f2a8b690da5c55388122b1a8fcf5774f8a91db6eb9061b7bb4b
XWorm
c89e79c7b9ceb8f6119e162a8b1cb60e917414b23f5d1bd9af18484afcf5a744
XWorm
cb08ed88dd97692627d9bed9a5201369574a1ef581aa52cadd674b26461b1c9a
XWorm
d7c2da6b7bc8757e99b5a623a5f032152296315e8242f44a2f6b1a31ea96e6ac
XWorm
ddfddc84dc9e7089f3340846addcc1e9e4f2165348169599ca9814fb0013b739
XWorm
error
XWorm
fdb5b2a0041b0939552ecd31e382e28529313c8bc8a656eb7de1cef9fbd6eee9
XWorm
+ 1'596 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/250320-a9wmkaspw9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
45.138.16.211:7000
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ecb6c26329c5aa711c857bb37431b6d5037b0d28818af4c033c78231d007bb40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Visual Basic Script (vbs) vbs ecb6c26329c5aa711c857bb37431b6d5037b0d28818af4c033c78231d007bb40

(this sample)

  
Delivery method
Distributed via web download

Comments