MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f708f7ff0a6559791d3a153e4b6c55d35c8f138fe35ef34620b0e62e085bbf19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f708f7ff0a6559791d3a153e4b6c55d35c8f138fe35ef34620b0e62e085bbf19
SHA3-384 hash: 6b37ac20dacc03f3c082169f4b1bc8b1c8bb40f57ea42dd4e0739173fe5d43d2ba77c41c20f75218a3dd6fc44bafa036
SHA1 hash: b9fba0cd3245d45b46c4889ceb91776e23fc31cb
MD5 hash: 19d5a9dfce91e2c06c5fd3ef09a5edcd
humanhash: red-pasta-five-pasta
File name:Commitment_for_Title_Insurance-660184790411.wsf
Download: download sample
Signature XWorm
Create hunting rule
File size:5'217 bytes
First seen:2024-09-24 12:01:45 UTC
Last seen:2024-09-24 12:18:53 UTC
File type:
MIME type:text/html
ssdeep 96:TtWXrHfYiu03P/hyUMl2N6SmxV3xzjpe40y5hzPD4KjVl:J0rTuI3HM06Sifzjpevy5BPD4Wv
Threatray 1'326 similar samples on MalwareBazaar
TLSH T1FEB1B4322A4E7A75CEA3088164CBBD51C7A9941D233388B07C1C1CAD43559ACC2BF9EE
Magika vba
Reporter JAMESWT_WT
Tags:bitbucket-org--xyz491 vecotr-viewdns-net wsf xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PwrSh.Iex-C.15207.3416.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f2d34a5346c7b922adaeeb
Tags:
Execution Stealth Corrupt Xtreme Tori
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade powershell
Link:
https://www.filescan.io/uploads/66f2aa421d8effc31dc56573/reports/e75acaf6-59b3-43f0-aeff-899e1ef41b3c/overview
Verdict:
Suspicious
Labled as:
VirTool/PS.Obfuscator
Link:
https://www.hybrid-analysis.com/sample/f708f7ff0a6559791d3a153e4b6c55d35c8f138fe35ef34620b0e62e085bbf19
Result
Verdict:
UNKNOWN
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1516976
Signature
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses the Telegram API (likely for C&C communication)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1516976 Sample: Commitment_for_Title_Insura... Startdate: 24/09/2024 Architecture: WINDOWS Score: 100 44 paste.ee 2->44 46 api.telegram.org 2->46 48 2 other IPs or domains 2->48 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 68 8 other signatures 2->68 10 wscript.exe 1 2->10         started        13 wscript.exe 1 2->13         started        signatures3 64 Connects to a pastebin service (likely for C&C) 44->64 66 Uses the Telegram API (likely for C&C communication) 46->66 process4 signatures5 76 Wscript starts Powershell (via cmd or directly) 10->76 15 cmd.exe 1 10->15         started        78 VBScript performs obfuscated calls to suspicious functions 13->78 80 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->80 82 Suspicious execution chain found 13->82 18 powershell.exe 14 46 13->18         started        process6 dnsIp7 84 Suspicious powershell command line found 15->84 86 Wscript starts Powershell (via cmd or directly) 15->86 88 Bypasses PowerShell execution policy 15->88 22 cmd.exe 1 15->22         started        25 conhost.exe 15->25         started        50 api.telegram.org 149.154.167.220, 443, 49714 TELEGRAMRU United Kingdom 18->50 52 paste.ee 188.114.97.3, 443, 49711 CLOUDFLARENETUS European Union 18->52 54 api.ipify.org 104.26.13.205, 443, 49713 CLOUDFLARENETUS United States 18->54 38 C:\ProgramData\Music\Visuals\VsLabsData.ps1, ASCII 18->38 dropped 40 C:\ProgramData\Music\Visuals\VsLabs.vbs, ASCII 18->40 dropped 42 C:\ProgramData\Music\Visuals\VsEnhance.bat, DOS 18->42 dropped 90 Loading BitLocker PowerShell Module 18->90 27 powershell.exe 7 18->27         started        29 conhost.exe 18->29         started        file8 signatures9 process10 signatures11 72 Suspicious powershell command line found 22->72 74 Wscript starts Powershell (via cmd or directly) 22->74 31 powershell.exe 15 22->31         started        process12 signatures13 92 Writes to foreign memory regions 31->92 94 Injects a PE file into a foreign processes 31->94 34 RegSvcs.exe 2 31->34         started        process14 dnsIp15 56 vecotr.viewdns.net 191.96.207.180, 49719, 50000 ASN-XTUDIONETES Chile 34->56 70 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->70 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f708f7ff0a6559791d3a153e4b6c55d35c8f138fe35ef34620b0e62e085bbf19/
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-09-11 20:09:38 UTC
File Type:
Text
Extracted files:
1
AV detection:
1 of 38 (2.63%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=64epp7ykmvmxshj2cu7ew3cv2noi6e4p4nppgrrawdtc4cc3x4mq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
3a5134cc11c7c47b7268e7bf6bf1556c5ff5044af54b7931cae652bfd8d83717
XWorm
65003b56f231e2913aed2ce8c6e5311778f03762263c43e10daafbb846d687cf
XWorm
ca7c2fbb9989ff738c74492d418a9c411f47944ca27b11ff2f41cd1e4f03b7a5
XWorm
d29f57dd228c45a7176306e87d8f670324a6fcda2e42914b6b96e084be455872
XWorm
f3831d6ca373f539fec77e975ae4fc26451bfb3113513813819ea1111f31a81a
XWorm
fe6e4a3e286bead5bf06a21ea57b4237ac4d0d25b832634f6cc1e743d86c75e7
XWorm
+ 1'316 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/240924-sb6nzstbqe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f708f7ff0a6559791d3a153e4b6c55d35c8f138fe35ef34620b0e62e085bbf19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments