MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 203d89bb4cc6f43407327ed2c132bbe394cb55f7ff3cd4f84038943df2e0ebf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 203d89bb4cc6f43407327ed2c132bbe394cb55f7ff3cd4f84038943df2e0ebf7
SHA3-384 hash: 830f3464fa28bd819bea67635df80d93db40c02e6cf73f48b239ba0eecb57d8a674b572aaa0ee9b3f9afda042d79ef9a
SHA1 hash: f21062ecf921667a39c3dd288122f7fc73e26155
MD5 hash: 8cbf4af125b72516ecb4ed6b5be5e6ac
humanhash: ink-delta-batman-three
File name:Payment_Invoice.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:154'177 bytes
First seen:2025-10-23 07:53:24 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 3072:A6iI699Gy1g+RvmQUWGw0cQIBXCsdUowhy9n1:dy1g+RvmQUWGw0cTBXCCUc1
TLSH T1F9E3F829475FB888261BB8D2F5F53F863B2DD652513175AE87CE84330D17F26AE0D128
Magika batch
Reporter smica83
Tags:bat xworm

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
83.147.243.110:1008 https://threatfox.abuse.ch/ioc/1625382/

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment_Invoice.bat
Verdict:
Malicious activity
Analysis date:
2025-10-23 07:54:47 UTC
Tags:
auto-startup evasion susp-powershell api-base64 xworm
Link:
https://app.any.run/tasks/8ce14071-285c-46af-8f23-5f3582181c1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33841/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f9df083edd081eba4101dc
Tags:
obfuscate autorun xtreme shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 evasive masquerade obfuscated powershell
Link:
https://www.filescan.io/uploads/68f9df05c85c5c5697336633/reports/9c5cb7fe-ee81-4830-82bf-66e30a411b01/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/203d89bb4cc6f43407327ed2c132bbe394cb55f7ff3cd4f84038943df2e0ebf7
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-10-23T05:20:00Z UTC
Last seen:
2025-10-23T05:58:00Z UTC
Hits:
~10
Detections:
Backdoor.MSIL.Crysan.d Trojan.BAT.Agent.sb HEUR:Trojan.PowerShell.Tesre.sb Backdoor.MSIL.XWorm.b Backdoor.MSIL.XWorm.a PDM:Trojan.Win32.Generic Backdoor.Agent.TCP.C&C Trojan.PowerShell.AmsiBypass.sb HEUR:Trojan.BAT.Tesre.gen
Link:
https://opentip.kaspersky.com/203d89bb4cc6f43407327ed2c132bbe394cb55f7ff3cd4f84038943df2e0ebf7/results?tab=lookup
Result
Threat name:
AsyncRAT, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1800387
Signature
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to log keystrokes (.Net Source)
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AsyncRAT
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1800387 Sample: Payment_Invoice.bat Startdate: 23/10/2025 Architecture: WINDOWS Score: 100 94 ip-api.com 2->94 100 Suricata IDS alerts for network traffic 2->100 102 Found malware configuration 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 17 other signatures 2->106 9 cmd.exe 1 2->9         started        12 cmd.exe 1 2->12         started        14 cmd.exe 1 2->14         started        16 11 other processes 2->16 signatures3 process4 signatures5 110 Suspicious powershell command line found 9->110 18 cmd.exe 1 9->18         started        20 conhost.exe 9->20         started        22 cmd.exe 1 12->22         started        24 conhost.exe 12->24         started        26 cmd.exe 1 14->26         started        28 conhost.exe 14->28         started        30 cmd.exe 1 16->30         started        32 cmd.exe 1 16->32         started        34 20 other processes 16->34 process6 process7 36 cmd.exe 2 18->36         started        39 cmd.exe 1 22->39         started        41 cmd.exe 1 26->41         started        43 cmd.exe 1 30->43         started        45 cmd.exe 1 32->45         started        47 cmd.exe 34->47         started        49 cmd.exe 34->49         started        51 cmd.exe 34->51         started        53 6 other processes 34->53 signatures8 108 Suspicious powershell command line found 36->108 55 2 other processes 36->55 60 2 other processes 39->60 62 2 other processes 41->62 64 2 other processes 43->64 66 2 other processes 45->66 68 2 other processes 47->68 70 2 other processes 49->70 72 2 other processes 51->72 74 12 other processes 53->74 process9 dnsIp10 96 83.147.243.110, 1008, 49724 BAHARNETIR Iran (ISLAMIC Republic Of) 55->96 98 ip-api.com 208.95.112.1, 49723, 80 TUT-ASUS United States 55->98 76 C:\Users\user\AppData\Roaming\...\ac46.bat, ASCII 55->76 dropped 112 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 55->112 114 Drops script or batch files to the startup folder 55->114 116 Found suspicious powershell code related to unpacking or dynamic code loading 55->116 118 Loading BitLocker PowerShell Module 55->118 78 C:\Users\user\AppData\Roaming\...\d1ad.bat, ASCII 60->78 dropped 120 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 60->120 80 C:\Users\user\AppData\Roaming\...\63ee.bat, ASCII 62->80 dropped 82 C:\Users\user\AppData\Roaming\...\5722.bat, ASCII 64->82 dropped 84 C:\Users\user\AppData\Roaming\...\a643.bat, ASCII 66->84 dropped 86 C:\Users\user\AppData\Roaming\...\52db.bat, ASCII 68->86 dropped 88 C:\Users\user\AppData\Roaming\...\4b42.bat, ASCII 70->88 dropped 90 C:\Users\user\AppData\Roaming\...\60e0.bat, ASCII 72->90 dropped 92 5 other malicious files 74->92 dropped file11 signatures12
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/203d89bb4cc6f43407327ed2c132bbe394cb55f7ff3cd4f84038943df2e0ebf7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/203d89bb4cc6f43407327ed2c132bbe394cb55f7ff3cd4f84038943df2e0ebf7/
Verdict:
Malicious
Threat:
Backdoor.MSIL.XWorm
Link:
https://tip.neiki.dev/file/203d89bb4cc6f43407327ed2c132bbe394cb55f7ff3cd4f84038943df2e0ebf7
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ea6yto2my32dibzsp3jmcmv34okmwvpx746nj6cahckd34xa5p3q._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/251023-jrartaaj81/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Drops startup file
Badlisted process makes network request
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
prakashjadha.ddnsgeek.com:1008
83.147.243.110:1008
pradeepprabhu705.duckdns.org:1008
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/203d89bb4cc6f43407327ed2c132bbe394cb55f7ff3cd4f84038943df2e0ebf7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/33841/

Comments