MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08ede1211e777ab6a12245c2b6af33e25f456e957937aefc96c5c3d5233591f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08ede1211e777ab6a12245c2b6af33e25f456e957937aefc96c5c3d5233591f8
SHA3-384 hash: 0c197b0d885f685d355151b7d9167f3ab4b934303600711d7335d19f073e2e0d233cb653a932bb5a7ac8149dc622c8e4
SHA1 hash: 169ce5516c72c9af16e7c212403b24f113c35cae
MD5 hash: 4ee73a3a7eb9e8c517376825156f9379
humanhash: magnesium-social-yellow-edward
File name:DA6B.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:1'089 bytes
First seen:2025-03-23 22:01:43 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 24:rm2BlmrHDrCMNmgbamnMcZDm+uXIbKHDCA++Le:C2BlmjDrpNNakdIIbKjCA+/
TLSH T19111661ACA1E0D83EB13D063CA2712CA2F9ED25210162DB9F7A81FDC3400CB88FD9458
Magika batch
Reporter smica83
Tags:bat xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DA6B.bat
Verdict:
Malicious activity
Analysis date:
2025-03-23 22:18:11 UTC
Tags:
xred backdoor remote xworm delphi
Link:
https://app.any.run/tasks/39bc1673-f10f-4539-b91f-5d7ba5a53d53

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e2462cbb84e066269eb9a0
Tags:
shell sage blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Running batch commands
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Adding an exclusion to Microsoft Defender
Using obfuscated Powershell scripts
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm asyncrat backdoor cmd dropper evasive find fingerprint hacktool keylogger lolbin lolbin mountvol njrat powershell rat remote xworm
Link:
https://www.filescan.io/uploads/67e084fae05c48ec61e6a621/reports/00dad970-5944-4c74-939b-3335ef1a5e23/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/08ede1211e777ab6a12245c2b6af33e25f456e957937aefc96c5c3d5233591f8
Result
Verdict:
UNKNOWN
Result
Threat name:
XRed, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1646366
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Execution from Suspicious Folder
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
Yara detected XRed
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1646366 Sample: DA6B.bat Startdate: 23/03/2025 Architecture: WINDOWS Score: 100 62 freedns.afraid.org 2->62 64 xred.mooo.com 2->64 66 10 other IPs or domains 2->66 86 Suricata IDS alerts for network traffic 2->86 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 94 18 other signatures 2->94 10 cmd.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        16 EXCEL.EXE 2->16         started        18 Synaptics.exe 2->18         started        signatures3 92 Uses dynamic DNS services 62->92 process4 dnsIp5 114 Suspicious powershell command line found 10->114 116 Adds a directory exclusion to Windows Defender 10->116 20 powershell.exe 14 18 10->20         started        24 powershell.exe 7 10->24         started        27 powershell.exe 22 10->27         started        29 3 other processes 10->29 78 127.0.0.1 unknown unknown 13->78 80 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 50244, 50246 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->80 signatures6 process7 dnsIp8 68 files.catbox.moe 108.181.20.35, 443, 49725 ASN852CA Canada 20->68 52 C:\Users\Public\winglog32.exe, PE32 20->52 dropped 31 winglog32.exe 1 5 20->31         started        96 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 24->96 98 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 24->98 100 Drops PE files to the user root directory 24->100 104 2 other signatures 24->104 102 Loading BitLocker PowerShell Module 27->102 35 mountvol.exe 1 29->35         started        37 find.exe 1 29->37         started        file9 signatures10 process11 file12 56 C:\Users\user\Desktop\._cache_winglog32.exe, PE32 31->56 dropped 58 C:\ProgramData\Synaptics\Synaptics.exe, PE32 31->58 dropped 60 C:\ProgramData\Synaptics\RCXFACC.tmp, PE32 31->60 dropped 82 Antivirus detection for dropped file 31->82 84 Multi AV Scanner detection for dropped file 31->84 39 Synaptics.exe 31->39         started        44 ._cache_winglog32.exe 2 31->44         started        signatures13 process14 dnsIp15 70 drive.usercontent.google.com 142.250.176.193, 443, 49737, 49738 GOOGLEUS United States 39->70 72 docs.google.com 142.251.35.174, 443, 49733, 49734 GOOGLEUS United States 39->72 74 freedns.afraid.org 69.42.215.252, 49742, 80 AWKNET-LLCUS United States 39->74 54 C:\Users\user\DocumentsWZCVGNOWT\~$cache1, PE32 39->54 dropped 106 Antivirus detection for dropped file 39->106 108 Multi AV Scanner detection for dropped file 39->108 110 Drops PE files to the document folder of the user 39->110 46 WerFault.exe 39->46         started        48 WerFault.exe 39->48         started        50 WerFault.exe 39->50         started        76 147.185.221.26, 20448, 49729, 49754 SALSGIVERUS United States 44->76 112 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->112 file16 signatures17 process18
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/08ede1211e777ab6a12245c2b6af33e25f456e957937aefc96c5c3d5233591f8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/08ede1211e777ab6a12245c2b6af33e25f456e957937aefc96c5c3d5233591f8/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bdw6cii6o55lnijcixblnlzt4jpuk3uvpe3257ewyxb5kizvsh4a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250323-1xs9sa1mx6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/08ede1211e777ab6a12245c2b6af33e25f456e957937aefc96c5c3d5233591f8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

XWorm

Batch (bat) bat 08ede1211e777ab6a12245c2b6af33e25f456e957937aefc96c5c3d5233591f8

(this sample)

XWorm

Executable exe 2093c40693b6684ea3eb4c6fccec07b765551b3c0f28cb6f14543aef86fdce3f

  
Dropping
SHA256 2093c40693b6684ea3eb4c6fccec07b765551b3c0f28cb6f14543aef86fdce3f
  
Dropping
MD5 38f198d48a2fbf99601e1654a2cd30b1

Comments