MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38e8f36d5bc775c1981f356af044717bb9e332dfddd64ee5be4a592cd3524fd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38e8f36d5bc775c1981f356af044717bb9e332dfddd64ee5be4a592cd3524fd6
SHA3-384 hash: afbdb1872ae4546b1fca0296e2a4a35bb8e86f302f4e1a6220d4f0a7a6ba475e145693d6de0711d882e1b4c9ccaf4f57
SHA1 hash: a422abe6224e110fdff1ea6a563ed55e1152d300
MD5 hash: 8e9db3fa6357e197b2338e8d71c3d2b3
humanhash: iowa-iowa-blossom-network
File name:Hesap bilgilerini doğrulayın.bat
Download: download sample
File size:182'000 bytes
First seen:2025-11-20 07:04:56 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 3072:FK8P2ZWWAdTnaJARAbPrrWrWuU6/rgcbp5WmckL0ZXO1yXBDQmEyAcNMJtogBulC:FFP2ZWWAdTnaJARAbPrrWrWuU6/rgcbv
Threatray 105 similar samples on MalwareBazaar
TLSH T13B04B4FEF8539A8E074B2A75E624AEFF47453261E2123D38E5B4B4D81C18D54EB2C50E
Magika batch
Reporter abuse_ch
Tags:bat geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
46
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Hesap bilgilerini doğrulayın.bat
Verdict:
Suspicious activity
Analysis date:
2025-11-20 07:07:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e82d3c69-5fbf-4b25-9940-a6de066d30ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38768/
Detection(s):
SecuriteInfo.com.BAT.Obfus-10.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Score:
50%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691ebdcb27c5936d7d0dfffe
Tags:
obfuscate xtreme shell
Result
Verdict:
Clean
Maliciousness:

Behaviour
Running batch commands
Launching cmd.exe command interpreter
Launching a process
DNS request
Connection attempt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 batch evasive obfuscated powershell
Link:
https://www.filescan.io/uploads/691ebdbe419ba6b30e820db0/reports/2d56bcc2-5a2b-45b5-a2c3-e350181cf38b/overview
Verdict:
Malicious
Labled as:
Trojan/BAT.Obfus
Link:
https://www.hybrid-analysis.com/sample/38e8f36d5bc775c1981f356af044717bb9e332dfddd64ee5be4a592cd3524fd6
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-18T09:21:00Z UTC
Last seen:
2025-11-21T23:22:00Z UTC
Hits:
~100
Detections:
Backdoor.Agent.TCP.C&C Trojan.BAT.Agent.sb HEUR:Trojan.PowerShell.Tesre.sb HEUR:Trojan.BAT.Tesre.gen Backdoor.MSIL.XWorm.b Trojan.PowerShell.AmsiBypass.sb PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/38e8f36d5bc775c1981f356af044717bb9e332dfddd64ee5be4a592cd3524fd6/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1817520
Signature
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1817520 Sample: Hesap bilgilerini do#U011fr... Startdate: 20/11/2025 Architecture: WINDOWS Score: 96 23 Malicious sample detected (through community Yara rule) 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected Powershell decode and execute 2->27 29 5 other signatures 2->29 8 cmd.exe 1 2->8         started        process3 signatures4 33 Suspicious powershell command line found 8->33 35 Bypasses PowerShell execution policy 8->35 11 cmd.exe 1 8->11         started        13 conhost.exe 8->13         started        process5 process6 15 cmd.exe 1 11->15         started        signatures7 37 Suspicious powershell command line found 15->37 18 powershell.exe 17 15->18         started        21 conhost.exe 15->21         started        process8 signatures9 31 Found suspicious powershell code related to unpacking or dynamic code loading 18->31
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/38e8f36d5bc775c1981f356af044717bb9e332dfddd64ee5be4a592cd3524fd6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38e8f36d5bc775c1981f356af044717bb9e332dfddd64ee5be4a592cd3524fd6/
Verdict:
Malicious
Threat:
Trojan.MSIL.XWorm
Link:
https://tip.neiki.dev/file/38e8f36d5bc775c1981f356af044717bb9e332dfddd64ee5be4a592cd3524fd6
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-18 22:39:21 UTC
File Type:
Text (Batch)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hdupg3k3y524dga7gvvpardrpo46gmw73xle5zn6jjmszu2sj7la._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
3b79f7b592b36bc59710bd33e383512f6b4a608e526322ea7434e5f0d99d8d42
4fc5db02f555a38fe3a0153e1f7d8261fc545a9ac7a2951a4558f5571b20531d
9eee104aa1ddc7ab9a4a2e1a9f6020bd01d0f19bfcbeddbae332b1f9b4439c64
bc4a510046a3fe5f115e3087cb40fd0789f0f0cec4eef02d9c0e6d4930753ed7
d436b01ea1ce184f3e4e3e2ff3cfd4841f21e5008c6c827a2342c69711eae8c5
e7c60c0cc05617a16a7178aec3e120731814d2f62810dbea204e16e5f39fb29c
error
f3da246accb9e31bdb4e51187dada28e4c71a927c56adea2333fb9625b1bf7f5
f4073f71a9d0616905a018e6f42c60530ffaad1cba3f1057d3f47b82fa3f90e5
+ 95 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
execution
Link:
https://tria.ge/reports/251120-hwtj2s1nbz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/38e8f36d5bc775c1981f356af044717bb9e332dfddd64ee5be4a592cd3524fd6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/38768/

Comments