MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fd18d94e14f0d6f387f32eee284d5896fe345f690b32cd754f0439d4f16aaed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fd18d94e14f0d6f387f32eee284d5896fe345f690b32cd754f0439d4f16aaed
SHA3-384 hash: 3a1060abed99c9b29837601a932c56086551602b2e997b2ef937865a9bef287847242322741f261430f86fbf37746751
SHA1 hash: cb90a9742b0c3616fe525b094f772c50a50abd2e
MD5 hash: d8a4b013007f5ac346013406ddd8f783
humanhash: comet-october-uniform-indigo
File name:FGH09876546789.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:95'086 bytes
First seen:2026-02-25 07:36:41 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 1536:efsZRPZRxW9n7H1uxeTOVlY+XaOq4wkSceGOLFe7aJqBtAWZ70i2BT4KB+GY6/T+:efs/PtcH1WeTOJqTXcOkN337v2l4Mhhy
Threatray 5 similar samples on MalwareBazaar
TLSH T1F693F1515D8CAF74DBB5990C81EF28C19BEC1F0B10526A8BAB33DE866F7B24851D31E4
Magika batch
Reporter smica83
Tags:bat xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
BatchScript
Details
Link:
https://research.acce.ciphertechsolutions.com/results/01b27ccd-f6d1-4f46-a92e-15a5ff1cf235/
Malware family:
n/a
ID:
1
File name:
FGH09876546789.bat
Verdict:
Malicious activity
Analysis date:
2026-02-25 07:37:05 UTC
Tags:
auto-reg susp-powershell xworm remote donutloader loader
Link:
https://app.any.run/tasks/2cba6781-be0b-453e-8b19-f5020a3cc3cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54540/
Detection(s):
SecuriteInfo.com.BAT.Runner.PL.tr.1463.24712.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699ea6b38fffa866e3b1eb75
Tags:
ransomware dropper emotet sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Launching a process
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
alien base64 cscript evasive lolbin obfuscated powershell powershell
Link:
https://www.filescan.io/uploads/699ea6af10e80629d4f18309/reports/32aeb47e-bebb-41ee-bf4f-286b861c820d/overview
Verdict:
Suspicious
Labled as:
BAT/Agent.SBM trojan
Link:
https://www.hybrid-analysis.com/sample/2fd18d94e14f0d6f387f32eee284d5896fe345f690b32cd754f0439d4f16aaed
Verdict:
Malicious
File Type:
unix shell
Detections:
Backdoor.Win32.Androm.sb PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Alien.gen Trojan-Dropper.Win32.Injector.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Agent.sb Backdoor.MSIL.XWorm.c Backdoor.MSIL.XWorm.b Backdoor.MSIL.Agent.sb Trojan.Win64.Agentb.sb Backdoor.MSIL.XWorm.a Backdoor.Agent.TCP.C&C
Link:
https://opentip.kaspersky.com/2fd18d94e14f0d6f387f32eee284d5896fe345f690b32cd754f0439d4f16aaed/results?tab=lookup
Result
Threat name:
DonutLoader, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1874567
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected malicious Powershell script
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Creates a thread in another existing process (thread injection)
Drops PE files with benign system names
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected DonutLoader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1874567 Sample: FGH09876546789.bat Startdate: 25/02/2026 Architecture: WINDOWS Score: 100 116 keyauth.win 2->116 118 ax-0003.ax-msedge.net 2->118 120 3 other IPs or domains 2->120 128 Found malware configuration 2->128 130 Malicious sample detected (through community Yara rule) 2->130 132 Yara detected DonutLoader 2->132 134 16 other signatures 2->134 14 cmd.exe 2 2->14         started        18 cmd.exe 2 2->18         started        signatures3 process4 file5 114 C:\Users\user\AppData\Local\Temp\DRESS.vbs, ASCII 14->114 dropped 164 Suspicious powershell command line found 14->164 166 Command shell drops VBS files 14->166 168 Uses cmd line tools excessively to alter registry or file data 14->168 170 Bypasses PowerShell execution policy 14->170 20 cscript.exe 2 14->20         started        22 conhost.exe 14->22         started        24 cscript.exe 2 18->24         started        26 conhost.exe 18->26         started        signatures6 process7 process8 28 cmd.exe 4 20->28         started        32 cmd.exe 1 24->32         started        file9 112 C:\Users\user\AppData\...\strongly.cmd, DOS 28->112 dropped 160 Suspicious powershell command line found 28->160 162 Uses cmd line tools excessively to alter registry or file data 28->162 34 powershell.exe 30 28->34         started        38 powershell.exe 12 28->38         started        40 conhost.exe 28->40         started        42 reg.exe 1 1 28->42         started        44 conhost.exe 32->44         started        46 powershell.exe 11 32->46         started        48 reg.exe 1 32->48         started        50 powershell.exe 32->50         started        signatures10 process11 file12 102 C:\Users\user\AppData\...\bizqsztc.cmdline, Unicode 34->102 dropped 136 Injects code into the Windows Explorer (explorer.exe) 34->136 138 Writes to foreign memory regions 34->138 140 Creates a thread in another existing process (thread injection) 34->140 52 explorer.exe 34->52 injected 56 explorer.exe 34->56         started        58 csc.exe 3 34->58         started        61 csc.exe 3 34->61         started        104 C:\Users\user\AppData\Local\Temp\FLEE.ps1, ASCII 38->104 dropped 142 Found suspicious powershell code related to unpacking or dynamic code loading 38->142 63 conhost.exe 44->63         started        signatures13 process14 dnsIp15 122 198.23.177.219, 4445, 49723 AS-COLOCROSSINGUS United States 52->122 144 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 52->144 146 Tries to harvest and steal browser information (history, passwords, etc) 52->146 148 Unusual module load detection (module proxying) 52->148 65 cmd.exe 52->65         started        68 csc.exe 52->68         started        71 csc.exe 52->71         started        77 3 other processes 52->77 124 ax-0003.ax-msedge.net 150.171.28.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 56->124 150 System process connects to network (likely due to code injection or exploit) 56->150 152 Query firmware table information (likely to detect VMs) 56->152 108 C:\Users\user\AppData\Local\...\bizqsztc.dll, PE32 58->108 dropped 154 Drops PE files with benign system names 58->154 73 cvtres.exe 1 58->73         started        110 C:\Users\user\AppData\Local\...\cvrrnjaj.dll, PE32 61->110 dropped 75 cvtres.exe 1 61->75         started        file16 signatures17 process18 file19 126 Command shell drops VBS files 65->126 79 cscript.exe 65->79         started        81 conhost.exe 65->81         started        106 C:\Users\user\AppData\Local\...\explorer.exe, PE32 68->106 dropped 83 conhost.exe 68->83         started        85 cvtres.exe 68->85         started        87 conhost.exe 71->87         started        89 cvtres.exe 71->89         started        signatures20 process21 process22 91 cmd.exe 79->91         started        signatures23 156 Suspicious powershell command line found 91->156 158 Uses cmd line tools excessively to alter registry or file data 91->158 94 conhost.exe 91->94         started        96 reg.exe 91->96         started        98 powershell.exe 91->98         started        100 powershell.exe 91->100         started        process24
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/2fd18d94e14f0d6f387f32eee284d5896fe345f690b32cd754f0439d4f16aaed
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2fd18d94e14f0d6f387f32eee284d5896fe345f690b32cd754f0439d4f16aaed/
Verdict:
Malicious
Threat:
Backdoor.MSIL.XWorm
Link:
https://tip.neiki.dev/file/2fd18d94e14f0d6f387f32eee284d5896fe345f690b32cd754f0439d4f16aaed
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-02-25 05:04:56 UTC
File Type:
Text (Batch)
AV detection:
8 of 24 (33.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f7iy3fhbj4gw6od7glxofbgvrfx6grpwsczszv2u6bbz2tywvlwq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
donutloader
Create hunting rule
Similar samples:
0c04480d6f7b79530bad8c128795fe332cecbe146d2c0d83e475489ed9c9fd29
XWorm
67e7b0bf057c8c7ef117be16a168833235920d0af16921ff59d0866f0d05e050
XWorm
9b7023ed9d783bf33aa0178b91f82c2e6e7d69cd5db878845171fde65481bb4b
XWorm
a79144ac2441047775ba349433a8b27aed0c8087aae033e68fa21692412abef9
XWorm
error
XWorm
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:xworm defense_evasion execution loader persistence pyinstaller rat spyware stealer trojan upx
Link:
https://tria.ge/reports/260225-jfza2afy7f/
Behaviour
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
UPX packed file
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Detects DonutLoader
DonutLoader
Donutloader family
Xworm
Xworm family
Malware Config
C2 Extraction:
198.23.177.219:4445
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2fd18d94e14f0d6f387f32eee284d5896fe345f690b32cd754f0439d4f16aaed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:obfuscated_BAT
Create hunting rule
Author:@warz_s
Description:Identifies obfuscated BAT files
Reference:https://github.com/secwarz/YaraRules
Rule name:PowerShell_Susp_Parameter_Combo_RID336F
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:WIN_FileFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:FileFix social engineering with PowerShell and PHP commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/54540/

Comments