MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9789ce4243643c7ec5090f1358e86802603e6ea2f900326001e43169c724e301. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9789ce4243643c7ec5090f1358e86802603e6ea2f900326001e43169c724e301
SHA3-384 hash: a3863d1ff6b7972d314d75da27f63c189f61158e05afa911c357f8f7b0e91fd9adc5c2c4a5d832b715b37791649bcaf7
SHA1 hash: f2da69422be6f2587c97a214aaac3a7364ef14f6
MD5 hash: 7d1eb4cf0e6e7f40a3e53aa506d9df45
humanhash: winter-artist-echo-romeo
File name:PO-20250823?????????DocumentAugust-pdf.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:204'028 bytes
First seen:2025-08-13 04:20:25 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 3072:kCRPHXFQDaCRXBAHFHB9dyA3G0AHmNlK9/18T9Jay5FI0HWavWj3Q3vWmJbnk:YBAH5E6MGCl1IaYI0HWuWj3Q3+mJk
TLSH T1A314F83DCAE5FCE4036BB1D03ADE3B0B118D6BD3B2601B9CF6E019551854A65DF3A268
Magika vba
Reporter abuse_ch
Tags:bat xworm


Avatar
abuse_ch
XWorm C2:
192.121.82.48:9779

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.121.82.48:9779 https://threatfox.abuse.ch/ioc/1568115/

Intelligence

File Origin
# of uploads :
1
# of downloads :
45
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3f44b1ec-42b3-4d56-b5c5-cc5fb5f27901
Verdict:
No threats detected
Analysis date:
2025-08-13 04:21:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3f44b1ec-42b3-4d56-b5c5-cc5fb5f27901

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/21028/
Detection(s):
SecuriteInfo.com.BAT.Obfus-5.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689c1296642b4839d1b5ac3a
Tags:
n/a
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/689c1293397fd3ce6fa703a7/reports/cea9e090-804f-4168-bb6f-3593631970c0/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9789ce4243643c7ec5090f1358e86802603e6ea2f900326001e43169c724e301
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1755758
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Drops script or batch files to the startup folder
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1755758 Sample: PO-20250823_________Documen... Startdate: 13/08/2025 Architecture: WINDOWS Score: 100 95 x-xx-x.ydns.eu 2->95 99 Suricata IDS alerts for network traffic 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 Sigma detected: Drops script at startup location 2->103 105 9 other signatures 2->105 9 cmd.exe 1 2->9         started        12 cmd.exe 1 2->12         started        14 cmd.exe 1 2->14         started        16 16 other processes 2->16 signatures3 process4 signatures5 111 Suspicious powershell command line found 9->111 18 cmd.exe 1 9->18         started        20 conhost.exe 9->20         started        23 cmd.exe 1 12->23         started        25 conhost.exe 12->25         started        27 cmd.exe 1 14->27         started        29 conhost.exe 14->29         started        31 cmd.exe 1 16->31         started        33 cmd.exe 1 16->33         started        35 30 other processes 16->35 process6 signatures7 37 cmd.exe 3 18->37         started        107 Suspicious powershell command line found 20->107 40 cmd.exe 2 23->40         started        42 cmd.exe 2 27->42         started        44 cmd.exe 2 31->44         started        46 cmd.exe 2 33->46         started        48 cmd.exe 2 35->48         started        50 cmd.exe 35->50         started        52 cmd.exe 35->52         started        54 11 other processes 35->54 process8 signatures9 109 Suspicious powershell command line found 37->109 56 2 other processes 37->56 61 2 other processes 40->61 63 2 other processes 42->63 65 2 other processes 44->65 67 2 other processes 46->67 69 2 other processes 48->69 71 2 other processes 50->71 73 2 other processes 52->73 75 22 other processes 54->75 process10 dnsIp11 97 x-xx-x.ydns.eu 192.121.82.48, 49719, 9779 M247GB Sweden 56->97 77 C:\Users\user\AppData\Roaming\...\111c.bat, ASCII 56->77 dropped 113 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 56->113 115 Suspicious powershell command line found 56->115 117 Drops script or batch files to the startup folder 56->117 119 Found suspicious powershell code related to unpacking or dynamic code loading 56->119 79 C:\Users\user\AppData\Roaming\...\3dd8.bat, ASCII 61->79 dropped 81 C:\Users\user\AppData\Roaming\...\69b8.bat, ASCII 63->81 dropped 83 C:\Users\user\AppData\Roaming\...\1254.bat, ASCII 65->83 dropped 85 C:\Users\user\AppData\Roaming\...\154c.bat, ASCII 67->85 dropped 87 C:\Users\user\AppData\Roaming\...\6e3c.bat, ASCII 69->87 dropped 89 C:\Users\user\AppData\Roaming\...\7d77.bat, ASCII 71->89 dropped 91 C:\Users\user\AppData\Roaming\...\f186.bat, ASCII 73->91 dropped 93 11 other malicious files 75->93 dropped file12 signatures13
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/9789ce4243643c7ec5090f1358e86802603e6ea2f900326001e43169c724e301
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9789ce4243643c7ec5090f1358e86802603e6ea2f900326001e43169c724e301/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/9789ce4243643c7ec5090f1358e86802603e6ea2f900326001e43169c724e301
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-13 04:18:22 UTC
File Type:
Text
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6e44qsdmq6h5rijb4jvr2diajqd43vc7eadeyab4qywtrze4maq._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/250813-eycsjavzhx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Drops startup file
Blocklisted process makes network request
Detect Xworm Payload
Xworm
Xworm family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9789ce4243643c7ec5090f1358e86802603e6ea2f900326001e43169c724e301

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/21028/

Comments