MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0970b5bea3795f0d8e9b2adc6e97ba05ce8ca486112e1110c4d5652d068fff4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	0970b5bea3795f0d8e9b2adc6e97ba05ce8ca486112e1110c4d5652d068fff4a
SHA3-384 hash:	1f607a26d6ed72b38365d9c6393629f97eabb292bf3a7678dccd8467f76e3883e45aeef9b2ee4f8a9547d4052c1c0dd1
SHA1 hash:	1c3f797c111b7c91bc7d7db6c44619d1a142fcab
MD5 hash:	036481ad0cb13e9e7ee57903c02a5204
humanhash:	wyoming-orange-hot-ink
File name:	lx8y2c.bat
Download:	download sample
File size:	507 bytes
First seen:	2025-12-29 08:41:51 UTC
Last seen:	Never
File type:	bat
MIME type:	text/plain
ssdeep	12:s80Qpc5InLgyaIS1PKC26wx0kTV45kJ00qo78YnaXBXOVZ50H:xLw1PKC26mJZ4Yn2kVi
Threatray	115 similar samples on MalwareBazaar
TLSH	T1C9F0051351A993CC15D846F211146DA8832D67DB37141E4D73F5CF4C8B8215855DF7C4
Magika	powershell
Reporter	abuse_ch
Tags:	bat

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

http://files.catbox.moe/lx8y2c.bat

Verdict:

Malicious activity

Analysis date:

2025-03-24 16:17:38 UTC

Tags:

autorun-download

Link:

https://app.any.run/tasks/b5dd45ae-8643-4f1c-befe-8b0b7cb589e0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/46451/

Detection(s):

SecuriteInfo.com.Heur.BZC.MNT.Boxter.830.7F94144B.9928.26659.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69523efa7468b4bd1c8e97f8

Tags:

ransomware shell sage

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 powershell

Link:

https://www.filescan.io/uploads/69523eeb7d55b68cb20c4deb/reports/0466112e-426b-4861-a612-d4e26c4c92fe/overview

Verdict:

Malicious

Labled as:

BZC.MNT.Boxter.830

Link:

https://www.hybrid-analysis.com/sample/0970b5bea3795f0d8e9b2adc6e97ba05ce8ca486112e1110c4d5652d068fff4a

Verdict:

Malicious

File Type:

ps1

First seen:

2025-12-29T06:03:00Z UTC

Last seen:

2025-12-29T06:53:00Z UTC

Hits:

~10

Detections:

Trojan.PowerShell.Strion.sb

Link:

https://opentip.kaspersky.com/0970b5bea3795f0d8e9b2adc6e97ba05ce8ca486112e1110c4d5652d068fff4a/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1841301

Signature

Bypasses PowerShell execution policy

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Powerup Write Hijack DLL

Suspicious powershell command line found

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/0970b5bea3795f0d8e9b2adc6e97ba05ce8ca486112e1110c4d5652d068fff4a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0970b5bea3795f0d8e9b2adc6e97ba05ce8ca486112e1110c4d5652d068fff4a/

Verdict:

Malicious

Threat:

Trojan.PowerShell.Strion

Link:

https://tip.neiki.dev/file/0970b5bea3795f0d8e9b2adc6e97ba05ce8ca486112e1110c4d5652d068fff4a

Threat name:

Script-PowerShell.Trojan.Boxter

Status:

Malicious

First seen:

2025-03-23 06:50:00 UTC

File Type:

Text (Batch)

AV detection:

7 of 36 (19.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bfyllpvdpfpq3du3flog5f52axhizjegcexbcege2vss2bup75fa._file

Verdict:

malicious

Label(s):

xworm

umbral

r77rootkit

unc_loader_063

595b3e370a653b8f722105d4aaf464b577c8f242504743519d7b5e96ba073fe0

59d32fa381f4dd0d841042c158dc54448af26913ae97a1bc401dfd2dc4da6387

7dae70f040b7ff11b7f3bd92f78e409d88a279a593990beafe8208a2df86d5c7

899f59db7e0fb9731002fb1922785bc217ebb1f8183f30e3a2d2945620e99902

error

+ 105 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/251229-kl6sqsa16c/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0970b5bea379/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0970b5bea3795f0d8e9b2adc6e97ba05ce8ca486112e1110c4d5652d068fff4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_PowerShell_Base64_Decode Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects PowerShell code to decode Base64 data. This can yield many FP

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

bat 0970b5bea3795f0d8e9b2adc6e97ba05ce8ca486112e1110c4d5652d068fff4a

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3745315/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/46451/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample