MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c1a4e3a1c90d013a9465ab585ad7a9cfc378ebdbe77fc1548cb81c791e6914e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c1a4e3a1c90d013a9465ab585ad7a9cfc378ebdbe77fc1548cb81c791e6914e
SHA3-384 hash: 2f42abdb43e228c799fb12413bf2a41a48ca7f67e7dcc2697c529dabb979fe572eea7d42dc0d88e2bce7ef51b759ca44
SHA1 hash: 986edba4c39be9edb552284dac555e2e95f68a4a
MD5 hash: 0b426e8571f8d3e437b7a42e9b8fd808
humanhash: rugby-solar-table-july
File name:ModestMenu.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:156'333 bytes
First seen:2024-05-14 09:51:56 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 3072:TXHtlYzFn8xKlZqwe64MpN9Q2cLNt0hcjhK7ZmVG/:rUB8gQMpvQ2Er0aG/
TLSH T188E3690BF64D08F689F6B926E99DFB3C59246CD51823AC8D065148E4CACEFD81F942F1
Reporter JaffaCakes118
Tags:bat xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MadeByCasttter (1).bat
Verdict:
Malicious activity
Analysis date:
2024-05-14 09:44:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ebea4a9d-edbd-4450-982b-c6b5fc1acd29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/9c1a4e3a1c90d013a9465ab585ad7a9cfc378ebdbe77fc1548cb81c791e6914e
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1441231
Signature
Antivirus detection for URL or domain
Loading BitLocker PowerShell Module
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powerup Write Hijack DLL
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1441231 Sample: ModestMenu.bat Startdate: 14/05/2024 Architecture: WINDOWS Score: 88 48 Antivirus detection for URL or domain 2->48 50 Yara detected Powershell decode and execute 2->50 52 Sigma detected: WScript or CScript Dropper 2->52 54 2 other signatures 2->54 9 cmd.exe 1 2->9         started        12 wscript.exe 1 2->12         started        process3 signatures4 60 Suspicious powershell command line found 9->60 62 Wscript starts Powershell (via cmd or directly) 9->62 14 powershell.exe 3 32 9->14         started        18 conhost.exe 9->18         started        20 cmd.exe 1 9->20         started        64 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->64 66 Suspicious execution chain found 12->66 process5 file6 42 C:\Users\user\AppData\...\Windows_Log_315.vbs, ASCII 14->42 dropped 44 C:\Users\user\AppData\...\Windows_Log_315.bat, DOS 14->44 dropped 72 Suspicious powershell command line found 14->72 22 wscript.exe 1 14->22         started        25 powershell.exe 37 14->25         started        signatures7 process8 signatures9 56 Wscript starts Powershell (via cmd or directly) 22->56 27 cmd.exe 1 22->27         started        58 Loading BitLocker PowerShell Module 25->58 30 conhost.exe 25->30         started        process10 signatures11 68 Suspicious powershell command line found 27->68 70 Wscript starts Powershell (via cmd or directly) 27->70 32 powershell.exe 27->32         started        36 conhost.exe 27->36         started        38 cmd.exe 1 27->38         started        process12 dnsIp13 46 94.156.8.167, 2020 NET1-ASBG Bulgaria 32->46 40 \Device\ConDrv, ASCII 32->40 dropped file14
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/9c1a4e3a1c90d013a9465ab585ad7a9cfc378ebdbe77fc1548cb81c791e6914e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c1a4e3a1c90d013a9465ab585ad7a9cfc378ebdbe77fc1548cb81c791e6914e/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tqne4oq4sdibhkkglk2ylll2tt6dpdv5xz37yfkizoa4pepgsfha._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/240514-lv22ksah6v/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
94.156.8.167:2020
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c1a4e3a1c90d013a9465ab585ad7a9cfc378ebdbe77fc1548cb81c791e6914e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Batch (bat) bat 9c1a4e3a1c90d013a9465ab585ad7a9cfc378ebdbe77fc1548cb81c791e6914e

(this sample)

  
Delivery method
Distributed via web download

Comments