MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe6e4a3e286bead5bf06a21ea57b4237ac4d0d25b832634f6cc1e743d86c75e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe6e4a3e286bead5bf06a21ea57b4237ac4d0d25b832634f6cc1e743d86c75e7
SHA3-384 hash: 1ff9c58c7e48456841b49581c7b83301eeea4d146fcf934cf65f96481b9d81e9aff281952266b6bc2923cd4ccfff0357
SHA1 hash: f4922f5c0bfc61fe35f5503cb7b66932797fc8fd
MD5 hash: 32ddfeb13e68e609be07921bcc502d1a
humanhash: neptune-pennsylvania-kansas-dakota
File name:Document-660117765723.wsf
Download: download sample
Signature XWorm
Create hunting rule
File size:2'500 bytes
First seen:2024-09-24 12:01:52 UTC
Last seen:Never
File type:
MIME type:text/html
ssdeep 48:T3aOCxVDiXrRBNT+0ym+DxM35LyT3O/dMCSxoj6SBzVQVQKZ:TMxVOXrR+0y/dMpm3OOCSe6SV6
Threatray 1'326 similar samples on MalwareBazaar
TLSH T12451512B0E0B8AFC874F0D8125895C71CBE5D109213C14F67AED5D9C6750CA878F6C4C
Magika vba
Reporter JAMESWT_WT
Tags:bitbucket-org--xyz491 wireoff-work-gd--7000 wsf xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.11480.6632.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f2d30c8aca58c2b2c71800
Tags:
Discovery Execution Generic Network Stealth Exploit Gumen Tori Sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade powershell
Link:
https://www.filescan.io/uploads/66f2aa435551d52611ffd402/reports/1c9f2f98-3ec7-487e-8b5b-ae36117ec2bf/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/fe6e4a3e286bead5bf06a21ea57b4237ac4d0d25b832634f6cc1e743d86c75e7
Result
Verdict:
UNKNOWN
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1516977
Signature
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses the Telegram API (likely for C&C communication)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1516977 Sample: Document-660117765723.wsf Startdate: 24/09/2024 Architecture: WINDOWS Score: 100 48 paste.ee 2->48 50 api.telegram.org 2->50 52 2 other IPs or domains 2->52 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 72 8 other signatures 2->72 10 wscript.exe 1 2->10         started        13 wscript.exe 2->13         started        15 wscript.exe 1 2->15         started        signatures3 68 Connects to a pastebin service (likely for C&C) 48->68 70 Uses the Telegram API (likely for C&C communication) 50->70 process4 signatures5 82 Wscript starts Powershell (via cmd or directly) 10->82 17 cmd.exe 1 10->17         started        20 cmd.exe 13->20         started        84 VBScript performs obfuscated calls to suspicious functions 15->84 86 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->86 88 Suspicious execution chain found 15->88 22 powershell.exe 15->22         started        process6 signatures7 56 Suspicious powershell command line found 17->56 58 Wscript starts Powershell (via cmd or directly) 17->58 60 Bypasses PowerShell execution policy 17->60 24 cmd.exe 1 17->24         started        27 conhost.exe 17->27         started        29 cmd.exe 20->29         started        31 conhost.exe 20->31         started        33 powershell.exe 7 22->33         started        35 conhost.exe 22->35         started        process8 signatures9 78 Suspicious powershell command line found 24->78 80 Wscript starts Powershell (via cmd or directly) 24->80 37 powershell.exe 16 24->37         started        40 powershell.exe 13 29->40         started        process10 signatures11 74 Writes to foreign memory regions 37->74 76 Injects a PE file into a foreign processes 37->76 42 RegSvcs.exe 2 37->42         started        46 RegSvcs.exe 1 40->46         started        process12 dnsIp13 54 wireoff.work.gd 104.234.204.76, 49739, 7000 VELCOMCA Canada 42->54 90 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->90 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe6e4a3e286bead5bf06a21ea57b4237ac4d0d25b832634f6cc1e743d86c75e7/
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-09-24 12:12:35 UTC
File Type:
Text
Extracted files:
1
AV detection:
3 of 38 (7.89%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7zxeuprinpvnlpyguipkk62cg6we2djfxazggt3myhtuhwdmoxtq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
3a5134cc11c7c47b7268e7bf6bf1556c5ff5044af54b7931cae652bfd8d83717
XWorm
65003b56f231e2913aed2ce8c6e5311778f03762263c43e10daafbb846d687cf
XWorm
ca7c2fbb9989ff738c74492d418a9c411f47944ca27b11ff2f41cd1e4f03b7a5
XWorm
d29f57dd228c45a7176306e87d8f670324a6fcda2e42914b6b96e084be455872
XWorm
f3831d6ca373f539fec77e975ae4fc26451bfb3113513813819ea1111f31a81a
XWorm
fe6e4a3e286bead5bf06a21ea57b4237ac4d0d25b832634f6cc1e743d86c75e7
XWorm
+ 1'316 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution rat trojan
Link:
https://tria.ge/reports/240924-sa124szdlm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
wireoff.work.gd:7000
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe6e4a3e286bead5bf06a21ea57b4237ac4d0d25b832634f6cc1e743d86c75e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments