MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcbdf146c3371066501d5005be84b3a30ed653c123fbc247fe5f91239b968cdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcbdf146c3371066501d5005be84b3a30ed653c123fbc247fe5f91239b968cdb
SHA3-384 hash: 8b23fbc9f256939619104d94a1285672e4f636fbea09eeaeb8573afaa038aa36683b03a4fbfa7cb25afa94f65b34dfcd
SHA1 hash: 9e2d904daa64de8de8df16fde81f8d131a878878
MD5 hash: 1c9f74c3fe5839e974575e475b135ba6
humanhash: glucose-delta-blossom-floor
File name:chrome.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:302'093 bytes
First seen:2025-03-15 15:25:25 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 6144:I8ZcqMow3AmYsTgtQKdQxF2Jqo4d967qC2yDjsohJH16RcWqWMl:I8Zcbv3AmYyg+K/4G32GjDTWyl
Threatray 1'376 similar samples on MalwareBazaar
TLSH T14E54DF3237EA9785E3C9F933C51B24E321E261B058A346946AA7C1C6E24F6047F6D787
Magika vba
Reporter BastianHein
Tags:bat xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
CL CL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
chrome.bat
Verdict:
Malicious activity
Analysis date:
2025-03-15 15:07:35 UTC
Tags:
autorun-startup remote xworm
Link:
https://app.any.run/tasks/25837f68-b6f7-4e07-a3c6-6b33fe023c70

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d5ac1c3962f1a6f471ac28
Tags:
autorun shell spawn sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/67d59c2501edd28374b0c07f/reports/4e0577d1-fe07-4ec2-852a-5f3dc6d64825/overview
Verdict:
Malicious
Labled as:
BAT/Kryptik.Y trojan
Link:
https://www.hybrid-analysis.com/sample/dcbdf146c3371066501d5005be84b3a30ed653c123fbc247fe5f91239b968cdb
Result
Verdict:
SUSPICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1639438
Signature
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Powershell drops PE file
Powershell is started from unusual location (likely to bypass HIPS)
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Powershell decode and execute
Yara detected Powershell decrypt and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639438 Sample: chrome.bat Startdate: 15/03/2025 Architecture: WINDOWS Score: 100 57 me98342-50929.portmap.host 2->57 59 241.42.69.40.in-addr.arpa 2->59 65 Suricata IDS alerts for network traffic 2->65 67 Found malware configuration 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 12 other signatures 2->71 9 cmd.exe 1 2->9         started        12 System.exe 2->12         started        14 System.exe 2->14         started        16 2 other processes 2->16 signatures3 process4 dnsIp5 81 Suspicious powershell command line found 9->81 83 Bypasses PowerShell execution policy 9->83 19 powershell.exe 1 19 9->19         started        24 conhost.exe 9->24         started        85 Powershell is started from unusual location (likely to bypass HIPS) 12->85 87 Reads the Security eventlog 12->87 89 Reads the System eventlog 12->89 26 conhost.exe 12->26         started        28 conhost.exe 14->28         started        55 127.0.0.1 unknown unknown 16->55 30 conhost.exe 16->30         started        signatures6 process7 dnsIp8 61 me98342-50929.portmap.host 193.161.193.99, 47636, 64086 BITREE-ASRU Russian Federation 19->61 51 C:\Users\user\AppData\Roaming\System.exe, PE32+ 19->51 dropped 53 C:\Users\user\AppData\Roaming\...\System.lnk, MS 19->53 dropped 73 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->73 75 Protects its processes via BreakOnTermination flag 19->75 77 Uses schtasks.exe or at.exe to add and modify task schedules 19->77 79 2 other signatures 19->79 32 powershell.exe 21 19->32         started        35 powershell.exe 23 19->35         started        37 powershell.exe 23 19->37         started        39 2 other processes 19->39 file9 signatures10 process11 signatures12 63 Loading BitLocker PowerShell Module 32->63 41 conhost.exe 32->41         started        43 conhost.exe 35->43         started        45 conhost.exe 37->45         started        47 conhost.exe 39->47         started        49 conhost.exe 39->49         started        process13
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/dcbdf146c3371066501d5005be84b3a30ed653c123fbc247fe5f91239b968cdb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dcbdf146c3371066501d5005be84b3a30ed653c123fbc247fe5f91239b968cdb/
Threat name:
Script-BAT.Backdoor.Xworm
Create hunting rule
Status:
Malicious
First seen:
2025-03-15 15:07:43 UTC
File Type:
Text
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3s67crwdg4igmua5kac35bftumhnmu6bep54er76l6ishg4wrtnq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
0d51dea89adc781645bb9845e65c2d45824d8fbee993d00102696e6ca62d466f
XWorm
42a96a71d61fa31676c36a5e036d87dde899e1197a45c48833b4bfb4770feb01
XWorm
8e43d9d75bed8e215f15fd86ddec672c9ea0ecedea04e8042c2b1cf9c1c314cd
XWorm
c5924d4a2e24ecfd49a08643236d261fd375dce90f61b0b1b5de6e3d8f971d1e
XWorm
error
XWorm
+ 1'366 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution persistence rat trojan
Link:
https://tria.ge/reports/250315-st7zrswyhs/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Adds Run key to start application
Drops startup file
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
me98342-50929.portmap.host:47636
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dcbdf146c3371066501d5005be84b3a30ed653c123fbc247fe5f91239b968cdb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments