MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20653a298c5d681cc4fe764442a2cc569914debc5e18bdfc26d6b4ff926c1019. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20653a298c5d681cc4fe764442a2cc569914debc5e18bdfc26d6b4ff926c1019
SHA3-384 hash: 44b89a7d9061a99651bddcb5e65935f387aa7165c95bf739f5f46d6f42f86bec7e03f07d64fb106c0f8eae60d5219dd1
SHA1 hash: 0e2e54e2a4d344e2cb2c3b23062964520aaa6019
MD5 hash: 54173c1d8fd697fb683e2ed32c62039f
humanhash: whiskey-king-uranus-four
File name:MEGO-BAT.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:421 bytes
First seen:2026-03-18 08:39:02 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 12:wbYVJ4JFilo984CXLgyaIS1PKC2ALFyGHDfhHXQ1MnGHXbk1N:wq4jiloEXLw1PKC2kFHDV9n
TLSH T1EAE0A3144336210E49558597480D91DAD69DE2C813377AF769C46C804D401CA795F15C
Magika batch
Reporter abuse_ch
Tags:bat xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
56
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
BatchScript
Details
BatchScript
varying reportable information from embedded commands and any observed URLs
Link:
https://research.acce.ciphertechsolutions.com/results/a7fddffd-437b-42d5-b28d-32482029df60/
Malware family:
n/a
ID:
1
File name:
_20653a298c5d681cc4fe764442a2cc569914debc5e18bdfc26d6b4ff926c1019.txt
Verdict:
No threats detected
Analysis date:
2026-03-18 08:40:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/44d29ced-65c4-4447-bcaf-3845e61f9968

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57888/
Detection(s):
SecuriteInfo.com.Generic.PWSH.Downloader.D.4F04D42D.817.1318.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ba64b593b644ca466b3ac4
Tags:
shell virus sage
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Connection attempt to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 batch evasive lolbin obfuscated opendir persistence powershell schtasks
Link:
https://www.filescan.io/uploads/69ba64b32000fc76c3e8af71/reports/a7fdd7f5-3e27-48be-94d6-c11fe72f3cfc/overview
Verdict:
Malicious
Labled as:
PWSH.Downloader.D.Generic
Link:
https://www.hybrid-analysis.com/sample/20653a298c5d681cc4fe764442a2cc569914debc5e18bdfc26d6b4ff926c1019
Verdict:
Malicious
File Type:
unix shell
Detections:
Backdoor.MSIL.XWorm.b Trojan-Downloader.Agent.HTTP.C&C PDM:Trojan.Win32.Tasker.cust UDS:DangerousObject.Multi.Generic Trojan-PSW.Win32.Agent.sb HEUR:Backdoor.MSIL.XClient.b HEUR:Trojan.BAT.Alien.gen Trojan.PowerShell.DefenderDisabler.sb Backdoor.MSIL.XWorm.a PDM:Trojan.Win32.Generic Trojan.Win32.Vimditator.sb Trojan.Win32.Agent.sb HEUR:Backdoor.MSIL.XWorm.gen Trojan.MSIL.Agent.sba Trojan.MSIL.Agent.sb NetTool.PowerShellGet.HTTP.C&C NetTool.PowerShellUA.HTTP.C&C
Link:
https://opentip.kaspersky.com/20653a298c5d681cc4fe764442a2cc569914debc5e18bdfc26d6b4ff926c1019/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1885410
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Disable Windows Defender real time protection (registry)
Disable Windows Notification Center
Disable Windows Toast Notifications
Disables UAC (registry)
Found malware configuration
Found pyInstaller with non standard icon
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential Privilege Escalation using Task Scheduler highest RunLevel
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious PowerShell Commandlets - ProcessCreation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: PowerShell DownloadFile
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1885410 Sample: MEGO-BAT.bat Startdate: 18/03/2026 Architecture: WINDOWS Score: 100 88 ip-api.com 2->88 90 www.google.com 2->90 92 3 other IPs or domains 2->92 110 Suricata IDS alerts for network traffic 2->110 112 Found malware configuration 2->112 114 Malicious sample detected (through community Yara rule) 2->114 116 20 other signatures 2->116 10 cmd.exe 1 2->10         started        13 MEGO-BAT.exe 2->13         started        16 MEGO-BAT.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 140 Suspicious powershell command line found 10->140 142 Uses cmd line tools excessively to alter registry or file data 10->142 144 Tries to download and execute files (via powershell) 10->144 146 3 other signatures 10->146 20 powershell.exe 17 17 10->20         started        25 conhost.exe 10->25         started        70 C:\Users\user\AppData\Local\...\zlib1.dll, PE32+ 13->70 dropped 72 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 13->72 dropped 74 C:\Users\user\AppData\Local\...\tk86t.dll, PE32+ 13->74 dropped 84 25 other malicious files 13->84 dropped 27 MEGO-BAT.exe 13->27         started        76 C:\Users\user\AppData\Local\...\zlib1.dll, PE32+ 16->76 dropped 78 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 16->78 dropped 80 C:\Users\user\AppData\Local\...\tk86t.dll, PE32+ 16->80 dropped 86 25 other malicious files 16->86 dropped 29 MEGO-BAT.exe 16->29         started        82 C:\Users\user\AppData\...\Security.exe.log, CSV 18->82 dropped 31 WerFault.exe 18->31         started        signatures6 process7 dnsIp8 94 156.233.71.230, 49709, 49711, 80 IKGUL-26484US Seychelles 20->94 66 C:\Users\user\AppData\Local\...\MEGO-BAT.bat, DOS 20->66 dropped 136 Found suspicious powershell code related to unpacking or dynamic code loading 20->136 138 Powershell drops PE file 20->138 33 cmd.exe 2 20->33         started        68 C:\ProgramData\Microsoft\...\Report.wer, Unicode 31->68 dropped file9 signatures10 process11 signatures12 102 Suspicious powershell command line found 33->102 104 Uses cmd line tools excessively to alter registry or file data 33->104 106 Tries to download and execute files (via powershell) 33->106 108 Adds a directory exclusion to Windows Defender 33->108 36 MEGO-BAT.exe 33->36         started        40 Security.exe 33->40         started        43 powershell.exe 23 33->43         started        45 22 other processes 33->45 process13 dnsIp14 54 C:\Users\user\AppData\Local\...\zlib1.dll, PE32+ 36->54 dropped 56 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 36->56 dropped 58 C:\Users\user\AppData\Local\...\tk86t.dll, PE32+ 36->58 dropped 64 25 other malicious files 36->64 dropped 118 Found pyInstaller with non standard icon 36->118 47 MEGO-BAT.exe 36->47         started        96 ip-api.com 208.95.112.1, 49714, 49731, 80 TUT-ASUS United States 40->96 120 Antivirus detection for dropped file 40->120 122 Multi AV Scanner detection for dropped file 40->122 124 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 40->124 49 WerFault.exe 40->49         started        126 Loading BitLocker PowerShell Module 43->126 98 github.com 140.82.112.4, 443, 49712 GITHUBUS United States 45->98 100 raw.githubusercontent.com 185.199.110.133, 443, 49713 FASTLYUS Netherlands 45->100 60 C:\ProgramData\WinGuard\Security.exe, PE32 45->60 dropped 62 C:\ProgramData\WinGuard\MEGO-BAT.exe, PE32+ 45->62 dropped 128 Creates multiple autostart registry keys 45->128 130 Disables UAC (registry) 45->130 132 Disable Windows Defender real time protection (registry) 45->132 134 2 other signatures 45->134 file15 signatures16 process17 file18 52 C:\ProgramData\Microsoft\...\Report.wer, Unicode 49->52 dropped
Score:
85%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/20653a298c5d681cc4fe764442a2cc569914debc5e18bdfc26d6b4ff926c1019
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20653a298c5d681cc4fe764442a2cc569914debc5e18bdfc26d6b4ff926c1019/
Verdict:
Malicious
Threat:
Backdoor.MSIL.XWorm
Link:
https://tip.neiki.dev/file/20653a298c5d681cc4fe764442a2cc569914debc5e18bdfc26d6b4ff926c1019
Threat name:
Script-PowerShell.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-03-18 05:59:50 UTC
File Type:
Text (Batch)
AV detection:
5 of 36 (13.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ebstukmmlvubzrh6ozcefiwmk2mrjxv4lyml37bg222p7etmcamq._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion evasion execution persistence pyinstaller rat trojan
Link:
https://tria.ge/reports/260318-kkeb4aet5t/
Behaviour
Modifies registry class
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Detects Pyinstaller
Adds Run key to start application
Contacts third-party web service commonly abused for C2
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Detect Xworm Payload
Modifies Windows Defender DisableAntiSpyware settings
Modifies Windows Defender Real-time Protection settings
UAC bypass
Xworm
Xworm family
Malware Config
C2 Extraction:
slashxx.duckdns.org:4040
Dropper Extraction:
http://156.233.71.230/EN/Exe/kSYMP4/MEGO-BAT.ico
http://156.233.71.230/EN/Exe/kSYMP4/MEGO-BAT.exe
https://github.com/moyousry95/slash2/raw/refs/heads/main/Security.exe
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/20653a298c5d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20653a298c5d681cc4fe764442a2cc569914debc5e18bdfc26d6b4ff926c1019

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Batch (bat) bat 20653a298c5d681cc4fe764442a2cc569914debc5e18bdfc26d6b4ff926c1019

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3798094/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/57888/

Comments