MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f747415080430ab9ae667ba1d2c6079c64d4566eaaf446e3b3ec764ad7144286. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f747415080430ab9ae667ba1d2c6079c64d4566eaaf446e3b3ec764ad7144286
SHA3-384 hash: 31c11124efed9bc8a7cde30925cd85d51d02ee83df406b8b704d3ab87ff0f38c4114416c297f20a3eb9fcc7af21f38f7
SHA1 hash: 5d9ebb323b2b62b379c11dbc247dfab6347e8c63
MD5 hash: 8810d5bffb6c4bfd56a9b02cee1f2636
humanhash: speaker-nitrogen-kitten-indigo
File name:QUANG PHUOC REQUSTED.VBS
Download: download sample
Signature XWorm
Create hunting rule
File size:2'313 bytes
First seen:2025-05-09 14:53:49 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:aAP9cN/6/D/Z/S6/vo/2/2B/k/k/g/m/h/h/g/H/F/k/r/a/r/r/h/U/h/b/y/P1:aAlcluD
Threatray 1'993 similar samples on MalwareBazaar
TLSH T19E417EE65568E594095282B0A65C2D247BC023CCF9934233B1F37396DC0DAD4B3DBFA8
Magika vba
Reporter abuse_ch
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Agent.CAV.Eldorado.6149.30213.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681e18ea4a59e5a2ce03645a
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/681e1723d95f3e34e9654011/reports/0c672545-2023-4182-abf4-08941aef7973/overview
Verdict:
Malicious
Labled as:
VBS/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/f747415080430ab9ae667ba1d2c6079c64d4566eaaf446e3b3ec764ad7144286
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1685771
Signature
Connects to a pastebin service (likely for C&C)
Multi AV Scanner detection for submitted file
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Behaviour
Behavior Graph:
Download SVG
Score:
2%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/f747415080430ab9ae667ba1d2c6079c64d4566eaaf446e3b3ec764ad7144286
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f747415080430ab9ae667ba1d2c6079c64d4566eaaf446e3b3ec764ad7144286/
Threat name:
Script.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-09 04:40:59 UTC
File Type:
Binary
AV detection:
9 of 37 (24.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=65ducueaimfltltgpoq5frqhtrsnivtovl2eny5t5r3evvyuikda._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
0cb83a22eb4440dd9f04329ecd54615827916b54d0765818c315c3c034183248
XWorm
19ba6881b1e82fa63c945ded965dc247f291d64eef58f6814e232f1422a0bb62
XWorm
9cbab28a72761e88ba00086474dc02c90fb3704fd10086628a9a8ec3fba2b186
XWorm
bb57a345bfddb2a779d447fb1f34b36bf08d70793be2705d95244254e264e1e2
XWorm
d446801308313403b701227453e4de340d03eb77aa2e4ac9e22368c4d0a2b059
XWorm
e45b310301004cf4ea3e855aae0ff6ba2e78b1fe8e99b90c8cb553881e410d20
XWorm
error
XWorm
+ 1'983 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat trojan
Link:
https://tria.ge/reports/250509-r943daxks7/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
127.0.0.1:8078
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Visual Basic Script (vbs) vbs f747415080430ab9ae667ba1d2c6079c64d4566eaaf446e3b3ec764ad7144286

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments