MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ba574b61dca255ef93e884d9cbad520403166562a7ae8ce28417080d52fe0a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ba574b61dca255ef93e884d9cbad520403166562a7ae8ce28417080d52fe0a7
SHA3-384 hash: 182c0f5340eb8c28de97e564db707ea81ac70dc73654afa1cd8689047bfa2991d89bb2d7d5564206170feede782e1160
SHA1 hash: feb4018e5a0deac27f074ede93d373455a5dacb4
MD5 hash: e3b482a015f3f7fb9c1853f67c2de7fd
humanhash: spaghetti-speaker-earth-ceiling
File name:z35awb_shipping.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:94'085 bytes
First seen:2025-05-20 22:00:11 UTC
Last seen:2025-05-21 06:46:24 UTC
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 1536:ZqEuRW8rD+XNdZkbmEKUgXEXzICKUnFU0RYYFee0HaypNyl2m3Wacp5R/DiBffB4:ZduRRrWGHf2qeJ6yzyEOEHR/Ok
Threatray 1'751 similar samples on MalwareBazaar
TLSH T17C93A67AD670AED803FDB9940E6E6B0D105C87E3616087EC74862870B9D8D11EFF6E19
Magika vba
Reporter FXOLabs
Tags:bat xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
134
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
z35awb_shipping.bat
Verdict:
Malicious activity
Analysis date:
2025-05-20 22:03:01 UTC
Tags:
auto-startup remote xworm susp-powershell
Link:
https://app.any.run/tasks/0a8f8215-96a8-481d-9319-1b6b84ce2af3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BAT.Obfus-3.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682cfbc5c28c67d66642c876
Tags:
obfuscate autorun xtreme shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 evasive masquerade obfuscated powershell
Link:
https://www.filescan.io/uploads/682cfb7ac609634bd7cc6904/reports/6856232e-a959-4506-9190-dd1a90fdcfb6/overview
Verdict:
Suspicious
Labled as:
BAT/Agent.AZY
Link:
https://www.hybrid-analysis.com/sample/1ba574b61dca255ef93e884d9cbad520403166562a7ae8ce28417080d52fe0a7
Result
Threat name:
Batch Injector, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1695461
Signature
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
Yara detected Batch Injector
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1695461 Sample: z35awb_shipping.bat Startdate: 21/05/2025 Architecture: WINDOWS Score: 100 92 wealthytradesbanks.duckdns.org 2->92 96 Suricata IDS alerts for network traffic 2->96 98 Found malware configuration 2->98 100 Malicious sample detected (through community Yara rule) 2->100 104 17 other signatures 2->104 10 cmd.exe 1 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 1 2->15         started        17 17 other processes 2->17 signatures3 102 Uses dynamic DNS services 92->102 process4 dnsIp5 114 Suspicious powershell command line found 10->114 116 Bypasses PowerShell execution policy 10->116 20 cmd.exe 3 10->20         started        23 conhost.exe 10->23         started        25 cmd.exe 13->25         started        27 conhost.exe 13->27         started        29 cmd.exe 2 15->29         started        31 conhost.exe 15->31         started        90 127.0.0.1 unknown unknown 17->90 33 cmd.exe 2 17->33         started        35 cmd.exe 2 17->35         started        37 30 other processes 17->37 signatures6 process7 signatures8 106 Suspicious powershell command line found 20->106 39 powershell.exe 20 20->39         started        44 conhost.exe 20->44         started        46 powershell.exe 25->46         started        48 conhost.exe 25->48         started        50 powershell.exe 29->50         started        52 conhost.exe 29->52         started        54 2 other processes 33->54 56 2 other processes 35->56 58 28 other processes 37->58 process9 dnsIp10 94 wealthytradesbanks.duckdns.org 185.167.61.11, 3033, 49717, 49724 INETLTDTR Turkey 39->94 72 C:\Users\user\AppData\Roaming\...\d815.bat, ASCII 39->72 dropped 74 C:\Users\user\AppData\...\tmp9F84.tmp.bat, DOS 39->74 dropped 108 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->108 110 Drops script or batch files to the startup folder 39->110 112 Found suspicious powershell code related to unpacking or dynamic code loading 39->112 60 cmd.exe 39->60         started        76 C:\Users\user\AppData\Roaming\...\2728.bat, ASCII 46->76 dropped 62 cmd.exe 46->62         started        78 C:\Users\user\AppData\Roaming\...\aa24.bat, ASCII 50->78 dropped 80 C:\Users\user\AppData\Roaming\...\5076.bat, ASCII 54->80 dropped 82 C:\Users\user\AppData\Roaming\...\e811.bat, ASCII 56->82 dropped 84 C:\Users\user\AppData\Roaming\...\f18b.bat, ASCII 58->84 dropped 86 C:\Users\user\AppData\Roaming\...\ca24.bat, ASCII 58->86 dropped 88 12 other malicious files 58->88 dropped file11 signatures12 process13 process14 64 conhost.exe 60->64         started        66 timeout.exe 60->66         started        68 conhost.exe 62->68         started        70 timeout.exe 62->70         started       
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/1ba574b61dca255ef93e884d9cbad520403166562a7ae8ce28417080d52fe0a7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ba574b61dca255ef93e884d9cbad520403166562a7ae8ce28417080d52fe0a7/
Threat name:
Script-BAT.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-05-20 22:00:30 UTC
File Type:
Text
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dosxjnq5zisv56j6rbgzzowvebadczswfj5ortriifyibvjp4ctq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
3e725d0efe588ac45c5bfa6aee1b6d5e75b65aa3a301e274c5e8e825ac390b7e
XWorm
4fecb0662c4acd463645475e4efca2a14f4afa0960f34cdfd3e50346005efd83
XWorm
53a2f686422f9f71b69d3a9699661c96dc1375d490ea188d5141bb1e8ae89029
XWorm
665e41e416954d5ff623a37c7bce17d409c11e003c29ae9ddeb25fc736e533c7
XWorm
80a21952b87d83eb419768268b334364ecab48dbb9cbe55b967ba9636e512cab
XWorm
927a9f72eb0fb2e6e4189884e319ce4bbb99152c2b1c7670f3b5429be437714c
XWorm
95bd50b1c849b16159f239b176e9c48d97bc7d841441829ec974997a93cb4c1e
XWorm
d08c0197f69f9b77a3396a6f07c4432ed0bc3e5e0e450aed5f14f1aa42eda53e
XWorm
e5269c1e1058ff5344999040ab4d02ad3cc2cb1020a2e1d9de9c62fed5e9123f
XWorm
error
XWorm
fa998dd5153a01397534f381ab5655a7afeb94e4b236e0dc4ffbed6891011949
XWorm
+ 1'741 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution rat trojan
Link:
https://tria.ge/reports/250520-1wvq8acr3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Network Configuration Discovery: Internet Connection Discovery
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
wealthytradesbanks.duckdns.org:3033
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1ba574b61dca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Batch (bat) bat 1ba574b61dca255ef93e884d9cbad520403166562a7ae8ce28417080d52fe0a7

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments