MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04ce543c01a4bace549f6be2d77eb62567c7b65edbbaebc0d00d760425dcd578. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04ce543c01a4bace549f6be2d77eb62567c7b65edbbaebc0d00d760425dcd578
SHA3-384 hash: 7388eb2932d293819db7157efcfc14ea61a2b5a37ea1e2e5bfc3a141002ff1b905f612b4a1c940c611ebdd67fa6f194d
SHA1 hash: dc1ae0d624483cf4e3950141d3d4e7ce2f31d887
MD5 hash: 7d8a84813d06c036c7df72e36d152fac
humanhash: kitten-leopard-alanine-xray
File name:7d8a84813d06c036c7df72e36d152fac_JUSTIFICANTE DE PAGO.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:50'394 bytes
First seen:2022-12-20 12:23:14 UTC
Last seen:2022-12-26 18:22:51 UTC
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 768:WOnpPUqRZRJ40PS6tDb7STa0OLbgeLVORA8VUIwMrBo0WzP3dMqnvDg7hI3:jpPJcf62a3bjD8Cu9/WzvxOhI3
Threatray 3'233 similar samples on MalwareBazaar
TLSH T19D33F106D0AF083B3058C5215DEC8BEB10995D6C40BAC5845F5359B76F8A86E63EAAC7
Reporter adrian__luca
Tags:bat xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
JUSTIFICANTE DE PAGO.bat
Verdict:
Malicious activity
Analysis date:
2022-12-20 08:43:54 UTC
Tags:
xworm
Link:
https://app.any.run/tasks/b32be751-743b-4dfc-9cd0-9b2f9fe316c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/348358/
Gathering data
Result
Verdict:
UNKNOWN
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1137908
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Obfuscated command line found
Renames powershell.exe to bypass HIPS
Sigma detected: Schedule system process
Sigma detected: Schedule VBS From Appdata
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Wscript starts Powershell (via cmd or directly)
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 770638 Sample: qMFDLtUc9K.bat Startdate: 20/12/2022 Architecture: WINDOWS Score: 100 76 Snort IDS alert for network traffic 2->76 78 Multi AV Scanner detection for domain / URL 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 5 other signatures 2->82 11 cmd.exe 2 2->11         started        15 wscript.exe 1 2->15         started        process3 file4 72 C:\Users\user\Desktop\qMFDLtUc9K.bat.exe, PE32+ 11->72 dropped 104 Suspicious powershell command line found 11->104 106 Wscript starts Powershell (via cmd or directly) 11->106 108 Uses schtasks.exe or at.exe to add and modify task schedules 11->108 110 Renames powershell.exe to bypass HIPS 11->110 17 qMFDLtUc9K.bat.exe 3 20 11->17         started        21 powershell.exe 7 11->21         started        23 conhost.exe 11->23         started        25 cmd.exe 15->25         started        signatures5 process6 file7 66 C:\Users\user\AppData\...\dEwbycmIkb.vbs, ASCII 17->66 dropped 68 C:\Users\user\AppData\...\dEwbycmIkb.bat, DOS 17->68 dropped 84 Obfuscated command line found 17->84 27 wscript.exe 1 17->27         started        30 cmd.exe 1 17->30         started        32 powershell.exe 9 17->32         started        86 Suspicious powershell command line found 25->86 88 Wscript starts Powershell (via cmd or directly) 25->88 90 Renames powershell.exe to bypass HIPS 25->90 34 dEwbycmIkb.bat.exe 25->34         started        36 conhost.exe 25->36         started        38 powershell.exe 25->38         started        signatures8 process9 signatures10 100 Wscript starts Powershell (via cmd or directly) 27->100 40 cmd.exe 2 27->40         started        44 conhost.exe 30->44         started        46 schtasks.exe 1 30->46         started        48 conhost.exe 32->48         started        102 Obfuscated command line found 34->102 50 powershell.exe 34->50         started        process11 file12 70 C:\Users\user\AppData\...\dEwbycmIkb.bat.exe, PE32+ 40->70 dropped 94 Suspicious powershell command line found 40->94 96 Wscript starts Powershell (via cmd or directly) 40->96 98 Renames powershell.exe to bypass HIPS 40->98 52 dEwbycmIkb.bat.exe 17 40->52         started        56 conhost.exe 40->56         started        58 powershell.exe 40->58         started        60 conhost.exe 50->60         started        signatures13 process14 dnsIp15 74 hurricane.ydns.eu 85.209.134.253, 2311, 49701 CMCSUS Germany 52->74 92 Obfuscated command line found 52->92 62 powershell.exe 52->62         started        signatures16 process17 process18 64 conhost.exe 62->64         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04ce543c01a4bace549f6be2d77eb62567c7b65edbbaebc0d00d760425dcd578/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=athfipabus5m4ve7nprno7vwevt4pns63o5oxqgqbv3aijo42v4a._file
Verdict:
unknown
Similar samples:
0c46021aa8d5a1164ee93248ea12f42e05612006943fb9bf32d2d4fbd4a9dcbc
XWorm
211abb138fdb4df615ae9d97a39fd06c29d7140da2ea5192ab92b6ec94e0cd61
XWorm
3b76cb3ab031658b762892f0d4145498eee84da51d451c67c1ca642afd79add1
XWorm
47ac3d18dc7010640808ab90a5a83881593a6ab8a5bc178ff72f983e26c3476f
XWorm
49e5b6a43eb0b1f3311af48ffaad03cb2b40354edb537d51a5f86855887f853c
XWorm
533be061fa24c8041cdf7bd850a18090f02e9d96016a954dd4373860106cad40
XWorm
d27fe6a42208e340e992bb1e4b346229d9c2663b9184238e01ab699c3a772a3c
XWorm
e0821c032569fd1820f3399609b27f448db1b9d34043593661ea6000bbcdf0eb
XWorm
f9265a0554ffd7971bacbd4335ab32109aa2f8ba7f70dba315f4e1f48674b990
XWorm
+ 3'223 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221220-pk2jvacf3s/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04ce543c01a4bace549f6be2d77eb62567c7b65edbbaebc0d00d760425dcd578

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Batch (bat) bat 04ce543c01a4bace549f6be2d77eb62567c7b65edbbaebc0d00d760425dcd578

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/348358/

Comments