MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f965695294bd5b7961e6e6bdbe299e33d0c2d89bb6267e5f8bca9fcd5214a526. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f965695294bd5b7961e6e6bdbe299e33d0c2d89bb6267e5f8bca9fcd5214a526
SHA3-384 hash: 6b8d2ce186fdb8fdac4fbbd55398ad0a586cc0869c0476df6f85d46c0989484455a3282ac4fd84cfcbb634be8cea1a68
SHA1 hash: 12bb1995a45f819c8f8f4591a40d8ea1d0e8221c
MD5 hash: 44c54c4e056742175c3a71b33720664b
humanhash: paris-undress-timing-summer
File name:Purchase Order [POF0000095].vbs
Download: download sample
Signature XWorm
Create hunting rule
File size:2'179'087 bytes
First seen:2026-06-15 19:42:05 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/csv
ssdeep 384:81ZdwYU1somr7Rl92w6xHYYeaVqvXris+D2R1nOPfqVhkT:81fwhsoW7v9d6dYYeRY2R1nifqK
TLSH T17CA58C4BD70FD984B4D66C37D6CC9C228221A83E55688CB32408ADAFAD0FDC565D3F1A
Magika txt
Reporter abuse_ch
Tags:vbs xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70879/
Detection(s):
SecuriteInfo.com.VBS.Starter.539.31537.11986.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3055b6a15110463ee61d4d
Tags:
ransomware autorun shell sage
Verdict:
Malicious
Labled as:
Downloader
Link:
https://www.hybrid-analysis.com/sample/f965695294bd5b7961e6e6bdbe299e33d0c2d89bb6267e5f8bca9fcd5214a526
Verdict:
Malicious
File Type:
text.utf8
First seen:
2026-06-14T21:25:00Z UTC
Last seen:
2026-06-17T09:52:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.Script.Generic HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan-Downloader.PowerShell.Agent.gen Trojan.VBS.SAgent.sb Trojan.Multi.Agent.gen Trojan.JS.SAgent.sb Trojan-Dropper.PowerShell.Agent.aft
Link:
https://opentip.kaspersky.com/f965695294bd5b7961e6e6bdbe299e33d0c2d89bb6267e5f8bca9fcd5214a526/results?tab=lookup
Result
Threat name:
AgentTesla, SugarDump, XWorm
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1928326
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected malicious Powershell script
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates processes via WMI
Drops VBS files to the startup folder
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Potential dropper URLs found in powershell memory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Copy file to startup via Powershell
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected SugarDump
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1928326 Sample: Purchase Order [POF0000095].vbs Startdate: 15/06/2026 Architecture: WINDOWS Score: 100 118 basefile.click 2->118 120 www.basefile.click 2->120 122 3 other IPs or domains 2->122 134 Suricata IDS alerts for network traffic 2->134 136 Found malware configuration 2->136 138 Malicious sample detected (through community Yara rule) 2->138 140 24 other signatures 2->140 13 powershell.exe 14 15 2->13         started        17 wscript.exe 1 2->17         started        19 wscript.exe 1 2->19         started        21 svchost.exe 1 1 2->21         started        signatures3 process4 dnsIp5 128 basefile.click 45.136.5.4, 49683, 49692, 80 AS-PIXOOFTR Turkey 13->128 130 brenmayasociados.com 50.87.145.2, 443, 49695, 49699 ORACLE-BMC-31898-OracleCorporationUS United States 13->130 174 Writes to foreign memory regions 13->174 176 Potential dropper URLs found in powershell memory 13->176 178 Injects a PE file into a foreign processes 13->178 23 CasPol.exe 18 15 13->23         started        28 conhost.exe 13->28         started        180 Suspicious powershell command line found 17->180 182 Wscript starts Powershell (via cmd or directly) 17->182 184 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->184 186 3 other signatures 17->186 30 powershell.exe 13 17->30         started        32 powershell.exe 19->32         started        132 127.0.0.1 unknown unknown 21->132 signatures6 process7 dnsIp8 124 172.245.106.54, 3333, 49696 AS-COLOCROSSING-HostPapaUS United States 23->124 126 ip-api.com 208.95.112.1, 49697, 49698, 80 TUT-AS-TotalUptimeTechnologiesLLCUS United States 23->126 110 C:\Users\user\AppData\Local\Temp\ahjtgc.exe, PE32 23->110 dropped 112 C:\Users\user\AppData\...\4ftzdzilgio.exe, PE32+ 23->112 dropped 114 C:\Users\user\AppData\...\jf4ncp22h4f.ps1, ASCII 23->114 dropped 156 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->156 158 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 23->158 160 Tries to steal Mail credentials (via file / registry access) 23->160 170 4 other signatures 23->170 34 powershell.exe 23->34         started        38 ahjtgc.exe 23->38         started        40 CasPol.exe 23->40         started        50 8 other processes 23->50 116 C:\Users\...\Purchase Order [POF0000095].vbs, CSV 30->116 dropped 162 Drops VBS files to the startup folder 30->162 164 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 30->164 42 conhost.exe 30->42         started        166 Writes to foreign memory regions 32->166 168 Injects a PE file into a foreign processes 32->168 44 conhost.exe 32->44         started        46 CasPol.exe 32->46         started        48 CasPol.exe 32->48         started        file9 signatures10 process11 file12 94 C:\Users\user\AppData\...\i1rjim5o.cmdline, Unicode 34->94 dropped 142 Suspicious powershell command line found 34->142 52 powershell.exe 34->52         started        54 csc.exe 34->54         started        57 conhost.exe 34->57         started        144 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->144 146 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 38->146 148 Tries to steal Mail credentials (via file / registry access) 38->148 150 Tries to harvest and steal browser information (history, passwords, etc) 38->150 152 Antivirus detection for dropped file 40->152 96 C:\Users\user\AppData\Local\Temp\CasPol.exe, PE32 50->96 dropped 59 conhost.exe 50->59         started        61 cvtres.exe 50->61         started        63 conhost.exe 50->63         started        65 9 other processes 50->65 signatures13 process14 file15 67 4ftzdzilgio.exe 52->67         started        71 csc.exe 52->71         started        73 conhost.exe 52->73         started        108 C:\Users\user\AppData\Local\...\i1rjim5o.dll, PE32 54->108 dropped 75 cvtres.exe 54->75         started        process16 file17 98 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 67->98 dropped 100 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 67->100 dropped 102 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 67->102 dropped 106 58 other malicious files 67->106 dropped 154 Multi AV Scanner detection for dropped file 67->154 77 4ftzdzilgio.exe 67->77         started        104 C:\Users\user\AppData\Local\...\gqvtb0hh.dll, PE32 71->104 dropped 80 cvtres.exe 71->80         started        signatures18 process19 signatures20 172 Tries to harvest and steal browser information (history, passwords, etc) 77->172 82 taskkill.exe 77->82         started        84 taskkill.exe 77->84         started        86 taskkill.exe 77->86         started        process21 process22 88 conhost.exe 82->88         started        90 conhost.exe 84->90         started        92 conhost.exe 86->92         started       
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f965695294bd5b7961e6e6bdbe299e33d0c2d89bb6267e5f8bca9fcd5214a526/
Verdict:
Malicious
Threat:
Trojan.PowerShell.Agent
Link:
https://tip.neiki.dev/file/f965695294bd5b7961e6e6bdbe299e33d0c2d89bb6267e5f8bca9fcd5214a526
Threat name:
Script-WScript.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-15 04:12:21 UTC
File Type:
Binary
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7fswsuuuxvnxsypg42634km6gpimfwe3wyth4x4lzkp42uquuuta._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:xworm collection discovery execution keylogger rat spyware stealer trojan
Link:
https://tria.ge/reports/260615-yfsktaez4x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Family: AgentTesla
Family: Xworm
Process spawned unexpected child process
Malware Config
C2 Extraction:
172.245.106.54:3333
Dropper Extraction:
http://www.basefile.click/optimized_MSIljune.png
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f965695294bd5b7961e6e6bdbe299e33d0c2d89bb6267e5f8bca9fcd5214a526

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/70879/

Comments