MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1393a105128cb3b877843861a80b0c628c3b692e3473fa73ff818d1f47aaa7e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1393a105128cb3b877843861a80b0c628c3b692e3473fa73ff818d1f47aaa7e6
SHA3-384 hash: e2aec9eee8319910e3c3fa3bb268ec8c4d3a0a0d24478a7797876d469267f50de972ac9c09f07c3a651fb992f71d719f
SHA1 hash: e7afe670b7753bd96ae89ec3d3319428fc2ef7ec
MD5 hash: 05ceb11768255ef106e317fe93ecc522
humanhash: pluto-island-emma-equal
File name:awb_DHL_original_shipping_documents_nov_2025_pdf.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:169'576 bytes
First seen:2025-11-05 14:56:12 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 1536:pCLc9L+N9Lfeuf2DV/glkW3PDl+RFInK+lLG3i2bHr9iry:pCLcF+N9Lfeuf2DVIR/Dl+RFiKaOv9V
Threatray 1'487 similar samples on MalwareBazaar
TLSH T181F3E8B03D0194883FB5A04EF7D9D69F97D7E90A376122DE4222CC5F166358A8BDE834
Magika batch
Reporter lowmal3
Tags:bat DHL xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
awb_DHL_original_shipping_documents_nov_2025_pdf.z
Verdict:
Malicious activity
Analysis date:
2025-11-05 10:45:30 UTC
Tags:
arch-exec susp-powershell remote xworm api-base64
Link:
https://app.any.run/tasks/fe6d255d-8ce8-4dd1-b90c-2392f9bf1b36

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/35534/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690b222f9942f1282ecc5fe8
Tags:
obfuscate xtreme shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching cmd.exe command interpreter
Creating a file
Launching a process
Сreating synchronization primitives
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Query of malicious DNS domain
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 evasive masquerade obfuscated powershell
Link:
https://www.filescan.io/uploads/690b65ae4425b0b1fd161f5b/reports/b8e84981-2ff7-4400-8c13-190e47da157f/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1393a105128cb3b877843861a80b0c628c3b692e3473fa73ff818d1f47aaa7e6
Verdict:
Malicious
File Type:
text
First seen:
2025-11-05T01:14:00Z UTC
Last seen:
2025-11-05T11:40:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.PowerShell.Tesre.sb Backdoor.MSIL.XWorm.b Trojan.BAT.Agent.sb Trojan.BAT.Agent.cpp
Link:
https://opentip.kaspersky.com/1393a105128cb3b877843861a80b0c628c3b692e3473fa73ff818d1f47aaa7e6/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1808637
Signature
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1808637 Sample: awb_DHL_original_shipping_d... Startdate: 05/11/2025 Architecture: WINDOWS Score: 100 97 businesstradings.duckdns.org 2->97 101 Suricata IDS alerts for network traffic 2->101 103 Found malware configuration 2->103 105 Malicious sample detected (through community Yara rule) 2->105 109 17 other signatures 2->109 9 cmd.exe 1 2->9         started        12 cmd.exe 1 2->12         started        14 cmd.exe 1 2->14         started        16 10 other processes 2->16 signatures3 107 Uses dynamic DNS services 97->107 process4 dnsIp5 113 Suspicious powershell command line found 9->113 115 Bypasses PowerShell execution policy 9->115 19 cmd.exe 1 9->19         started        21 conhost.exe 9->21         started        23 cmd.exe 1 12->23         started        25 conhost.exe 12->25         started        27 cmd.exe 1 14->27         started        29 conhost.exe 14->29         started        95 127.0.0.1 unknown unknown 16->95 31 cmd.exe 1 16->31         started        33 cmd.exe 1 16->33         started        35 16 other processes 16->35 signatures6 process7 process8 37 cmd.exe 3 19->37         started        40 cmd.exe 1 23->40         started        42 cmd.exe 1 27->42         started        44 cmd.exe 1 31->44         started        46 cmd.exe 1 33->46         started        48 cmd.exe 1 35->48         started        50 cmd.exe 35->50         started        52 cmd.exe 35->52         started        54 4 other processes 35->54 signatures9 111 Suspicious powershell command line found 37->111 56 2 other processes 37->56 61 2 other processes 40->61 63 2 other processes 42->63 65 2 other processes 44->65 67 2 other processes 46->67 69 2 other processes 48->69 71 2 other processes 50->71 73 2 other processes 52->73 75 8 other processes 54->75 process10 dnsIp11 99 businesstradings.duckdns.org 185.167.61.11, 3033, 49700 INETLTDTR Turkey 56->99 77 C:\Users\user\AppData\Roaming\...\62d7.bat, ASCII 56->77 dropped 117 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 56->117 119 Drops script or batch files to the startup folder 56->119 121 Found suspicious powershell code related to unpacking or dynamic code loading 56->121 123 Loading BitLocker PowerShell Module 56->123 79 C:\Users\user\AppData\Roaming\...\8714.bat, ASCII 61->79 dropped 81 C:\Users\user\AppData\Roaming\...\661c.bat, ASCII 63->81 dropped 83 C:\Users\user\AppData\Roaming\...\f276.bat, ASCII 65->83 dropped 85 C:\Users\user\AppData\Roaming\...\3734.bat, ASCII 67->85 dropped 87 C:\Users\user\AppData\Roaming\...\9a13.bat, ASCII 69->87 dropped 89 C:\Users\user\AppData\Roaming\...\2193.bat, ASCII 71->89 dropped 91 C:\Users\user\AppData\Roaming\...\3ced.bat, ASCII 73->91 dropped 93 3 other malicious files 75->93 dropped file12 signatures13
Score:
96%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/1393a105128cb3b877843861a80b0c628c3b692e3473fa73ff818d1f47aaa7e6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1393a105128cb3b877843861a80b0c628c3b692e3473fa73ff818d1f47aaa7e6/
Verdict:
Malicious
Threat:
Backdoor.MSIL.XWorm
Link:
https://tip.neiki.dev/file/1393a105128cb3b877843861a80b0c628c3b692e3473fa73ff818d1f47aaa7e6
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2025-11-05 10:08:49 UTC
File Type:
Text
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=coj2cbisrsz3q54ehbq2qcymmkgdw2jogrz7u477qggr6r5ku7ta._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
49adb2ba0f7b69d65978419b690af6ddca5d176cb143e24860decf5d41f4dedf
XWorm
4a980e38257b9dbf0e1ff47c3faef90d62e2fcdb663fa1421735f7ace6394a56
XWorm
4fc5db02f555a38fe3a0153e1f7d8261fc545a9ac7a2951a4558f5571b20531d
XWorm
60e6d178e020d6f0238910fdab18445d1a950c79d3c20b8560613364e14a6f0b
XWorm
6cf1c68d259035f265168771686ac382616e240c82e0c449589cd66dc181549e
XWorm
84bc64c5f0b3e217896ebecb8b6d434d0c8fb4c33aa87125b3b8e2062aa283d5
XWorm
b7e93b89a32f2b7ed23d4e053791bd79ca4a3ad0b864797eb575ced88da59f8e
XWorm
bbd166e6d916f328c29a4e19a4cb2f686c447b197eb7291def515bc3a63fdda7
XWorm
c3b6ec7c083b42ee8fc740390176c8946d4e1334eb6309f3b52119db1107948c
XWorm
error
XWorm
+ 1'477 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution rat trojan
Link:
https://tria.ge/reports/251105-sbdyzavlaq/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
System Network Configuration Discovery: Internet Connection Discovery
Command and Scripting Interpreter: PowerShell
Drops startup file
Badlisted process makes network request
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
businesstradings.duckdns.org:3033
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1393a105128c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1393a105128cb3b877843861a80b0c628c3b692e3473fa73ff818d1f47aaa7e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Batch (bat) bat 1393a105128cb3b877843861a80b0c628c3b692e3473fa73ff818d1f47aaa7e6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35534/

Comments