MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01b32400dada222a87a21834ceb8cd7fc95b88da0561711b81e027e8974eede3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01b32400dada222a87a21834ceb8cd7fc95b88da0561711b81e027e8974eede3
SHA3-384 hash: 3b68708cfb719150ec15ffc7c2d5a31306f5828ecea7b1751eba00e0e431a12e5fd831a251b03d35b2de6089b4ec9b45
SHA1 hash: 360fa2fbb365e00928830420bac51133cda46035
MD5 hash: 1ca4575616bb2802bc8ca8487977c2f1
humanhash: north-sodium-solar-lima
File name:Garanti-BBVA-000098473909875998899-Fatura0048.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:365'469 bytes
First seen:2025-09-18 06:44:53 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 3072:/AAAAAAVpF0AAAAAAAAAAAAwAAAAAAVpF0AAAAAAAAAAAAGAAAAAAVpF0AAAAAAX:TVzpru
Threatray 930 similar samples on MalwareBazaar
TLSH T1F3744B30E86B817A78D529BC2DBDC561FB37CA7D10A83A50F090599907AF90F3D2B794
Magika javascript
Reporter abuse_ch
Tags:bat BBVA xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Garanti-BBVA-000098473909875998899-Fatura0048.bat
Verdict:
No threats detected
Analysis date:
2025-09-18 07:37:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cb2afb0c-40e5-4648-a2e9-9fe9aad8e56b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28085/
Detection(s):
SecuriteInfo.com.PUA.JS.Shell-1.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cbaac488b954439247a3c1
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm cscript findstr lolbin wmic wscript
Link:
https://www.filescan.io/uploads/68cbac220d1238ff0aae6022/reports/1a9a3452-4454-4a15-bee3-fb19c01a9f8d/overview
Verdict:
Suspicious
Labled as:
BAT/Agent.BDM
Link:
https://www.hybrid-analysis.com/sample/01b32400dada222a87a21834ceb8cd7fc95b88da0561711b81e027e8974eede3
Verdict:
Unknown
File Type:
wsf
First seen:
2025-09-17T07:16:00Z UTC
Last seen:
2025-09-17T07:16:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/01b32400dada222a87a21834ceb8cd7fc95b88da0561711b81e027e8974eede3/results?tab=lookup
Result
Threat name:
SugarDump, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1779792
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Powershell decode and execute
Yara detected SugarDump
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1779792 Sample: Garanti-BBVA-00009847390987... Startdate: 18/09/2025 Architecture: WINDOWS Score: 100 32 info17.infy.uk 2->32 34 exim111.casacam.net 2->34 36 2 other IPs or domains 2->36 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 12 other signatures 2->62 9 cmd.exe 1 2->9         started        12 svchost.exe 1 1 2->12         started        signatures3 process4 dnsIp5 70 Suspicious powershell command line found 9->70 72 Bypasses PowerShell execution policy 9->72 15 powershell.exe 14 15 9->15         started        19 conhost.exe 9->19         started        40 127.0.0.1 unknown unknown 12->40 signatures6 process7 dnsIp8 42 info17.infy.uk 185.27.134.208, 49687, 80 WILDCARD-ASWildcardUKLimitedGB United Kingdom 15->42 44 archive.org 207.241.224.2, 443, 49684 INTERNET-ARCHIVEUS United States 15->44 46 dn721801.ca.archive.org 204.62.247.83, 443, 49685 COGENT-174US United States 15->46 48 Installs new ROOT certificates 15->48 50 Found Tor onion address 15->50 52 Writes to foreign memory regions 15->52 54 Injects a PE file into a foreign processes 15->54 21 CasPol.exe 2 5 15->21         started        26 conhost.exe 15->26         started        signatures9 process10 dnsIp11 38 exim111.casacam.net 88.218.17.152, 49690, 49691, 7978 SERVERIUS-ASNL United Kingdom 21->38 30 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 21->30 dropped 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->64 66 Tries to steal Mail credentials (via file / registry access) 21->66 68 Tries to harvest and steal browser information (history, passwords, etc) 21->68 28 WerFault.exe 22 16 21->28         started        file12 signatures13 process14
Score:
85%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/01b32400dada222a87a21834ceb8cd7fc95b88da0561711b81e027e8974eede3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01b32400dada222a87a21834ceb8cd7fc95b88da0561711b81e027e8974eede3/
Threat name:
Script-BAT.Backdoor.Xworm
Create hunting rule
Status:
Suspicious
First seen:
2025-09-17 12:58:33 UTC
File Type:
Text (Batch)
AV detection:
11 of 37 (29.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=agzsiag23ircvb5cda2m5ognp7evxcg2avqxcg4b4at6rf2o5xrq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
4fccf079d2e2942caad3338ada2aedf4290d380df931ae188e74693b86535da9
XWorm
5554ca93846129bc28fdcbfcd24d49ee67a117498bd6bcd99a498c0c48c41288
XWorm
8e3ac942df072256abcf91e4f1e5c76a09093374a9f5b997905dfc5a8b949e2a
XWorm
9219023b7da8a734c9d4063421680c5fd505adb36d2ba714118887df71ff4790
XWorm
9e81ab654b7791538849e8cdbc60b170c2e8de58bc38ba5248c0a6861ee3dae7
XWorm
a0c3fa62661159a9eef10b604214afade57a535a405c359b827a3bbd4b0cc63e
XWorm
d84b28f6ce7bca728fdf5eea7ed6cc3d6bed66d189c9218484d62fda4d5a4c9c
XWorm
dd526d6b1e6b225b484425cfce62bc318dae7ad5356e81587a511394a3e34aa0
XWorm
error
XWorm
f2444ec2549a9aad73567a3d1e1b00ff4de8be3727489c0cf1f5397975aa0c8d
XWorm
+ 920 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm collection discovery execution rat trojan
Link:
https://tria.ge/reports/250918-hm5wqabq8w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
exim111.casacam.net:7978
Dropper Extraction:
https://archive.org/download/optimized_msi_20250904/optimized_MSI.png
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01b32400dada222a87a21834ceb8cd7fc95b88da0561711b81e027e8974eede3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/28085/

Comments