MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ab149edd126d249c172864346f45dbcfa0ddee02015b6e44a121e6adbd5bd31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ab149edd126d249c172864346f45dbcfa0ddee02015b6e44a121e6adbd5bd31
SHA3-384 hash: 2ff2cb395f19d59bffd95c94a06d0d7237a5fcff7d9a1fa0b5d02437530b1c21c807823cdbc93fae2d8b45033393ff3f
SHA1 hash: cae596fb1cd6ee9c537adca085934691fbb0a9f6
MD5 hash: 86d239da48f5f218861fd0c747ae6359
humanhash: kitten-charlie-pennsylvania-pennsylvania
File name:rRevised_Produc.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:57'621 bytes
First seen:2025-06-02 00:00:11 UTC
Last seen:2025-06-02 07:31:25 UTC
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 1536:V10Oz6GF5WYgYadArmEwiq9mXD6j8vk6r8g/v5SmRVLY4:cOWGqVYLYmTFVNV
Threatray 1'849 similar samples on MalwareBazaar
TLSH T11043A23CCAE5EDD043AFB0D092BD3F52105C5B53BBA15B6CF6C519A91B0868BEB36148
Magika vba
Reporter FXOLabs
Tags:bat xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rRevised_Produc.bat
Verdict:
No threats detected
Analysis date:
2025-06-02 00:03:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ae5d046f-f71b-4624-a897-f791b4ce7ca8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6780/
Detection(s):
SecuriteInfo.com.BAT.Obfus-4.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683cea85668438e362ea0458
Tags:
obfuscate xtreme shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd evasive lolbin obfuscated powershell timeout
Link:
https://www.filescan.io/uploads/683ce996fd02ed5e05929de0/reports/bdadd6b4-4851-4aa9-8c6e-fe0a1346cf2d/overview
Verdict:
Malicious
Labled as:
BAT/Agent.AZY
Link:
https://www.hybrid-analysis.com/sample/0ab149edd126d249c172864346f45dbcfa0ddee02015b6e44a121e6adbd5bd31
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1703573
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Uses dynamic DNS services
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1703573 Sample: rRevised_Produc.bat Startdate: 02/06/2025 Architecture: WINDOWS Score: 100 54 businesstradings.duckdns.org 2->54 56 pki-goog.l.google.com 2->56 58 c.pki.goog 2->58 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 70 10 other signatures 2->70 10 cmd.exe 1 2->10         started        13 cmd.exe 1 2->13         started        signatures3 68 Uses dynamic DNS services 54->68 process4 signatures5 74 Suspicious powershell command line found 10->74 76 Bypasses PowerShell execution policy 10->76 78 Suspicious command line found 10->78 15 cmd.exe 1 10->15         started        18 conhost.exe 10->18         started        20 cmd.exe 1 13->20         started        22 conhost.exe 13->22         started        process6 signatures7 86 Suspicious powershell command line found 15->86 88 Suspicious command line found 15->88 24 powershell.exe 19 15->24         started        29 conhost.exe 15->29         started        31 cmd.exe 1 15->31         started        33 powershell.exe 20->33         started        35 conhost.exe 20->35         started        37 cmd.exe 1 20->37         started        39 timeout.exe 1 20->39         started        process8 dnsIp9 60 businesstradings.duckdns.org 185.167.61.11, 3033, 49693 INETLTDTR Turkey 24->60 50 C:\Users\user\...\StartupScript_7bb1487d.cmd, ASCII 24->50 dropped 80 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->80 82 Suspicious powershell command line found 24->82 84 Found suspicious powershell code related to unpacking or dynamic code loading 24->84 41 powershell.exe 35 24->41         started        44 powershell.exe 28 24->44         started        52 \Device\ConDrv, ASCII 33->52 dropped 46 powershell.exe 33->46         started        file10 signatures11 process12 signatures13 72 Loading BitLocker PowerShell Module 41->72 48 conhost.exe 41->48         started        process14
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0ab149edd126d249c172864346f45dbcfa0ddee02015b6e44a121e6adbd5bd31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ab149edd126d249c172864346f45dbcfa0ddee02015b6e44a121e6adbd5bd31/
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-06-02 00:00:25 UTC
File Type:
Text
AV detection:
10 of 24 (41.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bkyut3ore3jetqlsqzbun5c5xt5a3xxaeak3nzckcipgvw6vxuyq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
168c048aa7ca05f48086bf8ed7fe8886a6e220e2b5d123b56db4932ab04aec5b
XWorm
3e725d0efe588ac45c5bfa6aee1b6d5e75b65aa3a301e274c5e8e825ac390b7e
XWorm
4c3c7c82fef77195b527cac193188f01065d38da118efdd8d51d8fb53f5af87e
XWorm
53a2f686422f9f71b69d3a9699661c96dc1375d490ea188d5141bb1e8ae89029
XWorm
792754b8f83fc54cb4f36b0aef98b787d13c76b12a83e765f380d6d8f421abcb
XWorm
80a21952b87d83eb419768268b334364ecab48dbb9cbe55b967ba9636e512cab
XWorm
95bd50b1c849b16159f239b176e9c48d97bc7d841441829ec974997a93cb4c1e
XWorm
a88faac5c77bb82c70e4aea71d3dffc333540cc05bdb18c5d21b1f9c5b258bc0
XWorm
a90c46b549a798b086e2ef3ee17728c7456cdf3730b25f50500143e3a56de1f8
XWorm
cabe7c8088610b32f234f920fdfc9c0ba3c64301e1cb3bd443f400b9998ba50f
XWorm
error
XWorm
+ 1'839 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250602-aahawshj7s/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ab149edd126d249c172864346f45dbcfa0ddee02015b6e44a121e6adbd5bd31

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Batch (bat) bat 0ab149edd126d249c172864346f45dbcfa0ddee02015b6e44a121e6adbd5bd31

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/6780/

Comments