MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ed8d3644585e7a3c4e49ccb716e72950349d35144e912d7e9bc4b810abe62ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	3ed8d3644585e7a3c4e49ccb716e72950349d35144e912d7e9bc4b810abe62ac
SHA3-384 hash:	ab52dfa58855007ecff9796365f32101334948d2deea2f0506067cfe857b04dadf12083d3f0a5d78ede13e856432176e
SHA1 hash:	092eeeb8db0484665863f7ed62df22b2315f7cd4
MD5 hash:	c278a3263d5810d94f623b6bb33c7e33
humanhash:	stream-mobile-nuts-uncle
File name:	ORDER - PO_1306.PDF 51 KB.bat
Download:	download sample
Signature	XWorm Create hunting rule
File size:	119'064 bytes
First seen:	2025-10-24 13:14:08 UTC
Last seen:	Never
File type:	bat
MIME type:	text/plain
ssdeep	1536:i3mfekqI2CYbKYkav4B+GOQNfVQlIfVcHNVp0KpnqmTaIlj6dzY/qfpI3PGaEF0F:i3mlqI2C+KYkOnqQj6dzY/qghEaSG
Threatray	1'225 similar samples on MalwareBazaar
TLSH	T120C3813A9D78A9CC7359708FB5592A1B304BF94FA373CADCEE83C49228175419B910DB
Magika	batch
Reporter	James_inthe_box
Tags:	bat exe xworm

Intelligence

File Origin

# of uploads :

# of downloads :

111

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ORDER - PO_1306.PDF 51 KB.bat

Verdict:

No threats detected

Analysis date:

2025-10-24 13:22:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/55a629cf-ed00-49e3-a252-3d00ba8646ed

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/34053/

Detection(s):

Sanesecurity.Rogue.0hr.20251021-0937.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68fb7bc93bdc93eb0563d763

Tags:

xtreme shell virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Running batch commands

Launching cmd.exe command interpreter

Creating a file

Delayed writing of the file

Launching a process

Сreating synchronization primitives

Creating a window

Setting a global event handler for the keyboard

Connection attempt to an infection source

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

base64 batch evasive masquerade obfuscated powershell

Link:

https://www.filescan.io/uploads/68fb7bd311ff3db29f67c121/reports/acb83e13-7300-4c8f-aaee-9153f54d8d6e/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/3ed8d3644585e7a3c4e49ccb716e72950349d35144e912d7e9bc4b810abe62ac

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-20T22:01:00Z UTC

Last seen:

2025-10-26T08:47:00Z UTC

Hits:

~1000

Detections:

HEUR:Trojan.BAT.Tesre.gen Trojan.PowerShell.AmsiBypass.sb PDM:Trojan.Win32.Generic Backdoor.MSIL.XWorm.b Backdoor.Agent.TCP.C&C Trojan.BAT.Agent.sb HEUR:Trojan.PowerShell.Tesre.sb

Link:

https://opentip.kaspersky.com/3ed8d3644585e7a3c4e49ccb716e72950349d35144e912d7e9bc4b810abe62ac/results?tab=lookup

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/3ed8d3644585e7a3c4e49ccb716e72950349d35144e912d7e9bc4b810abe62ac

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3ed8d3644585e7a3c4e49ccb716e72950349d35144e912d7e9bc4b810abe62ac/

Verdict:

Malicious

Threat:

Backdoor.MSIL.XWorm

Link:

https://tip.neiki.dev/file/3ed8d3644585e7a3c4e49ccb716e72950349d35144e912d7e9bc4b810abe62ac

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2025-10-21 02:25:21 UTC

File Type:

Text (Batch)

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=h3mngzcfqxt2hrhettfxc3tssubutu2riturfv7jxrfyccv6mkwa._file

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm execution rat trojan

Link:

https://tria.ge/reports/251024-qg5yjayrfs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: PowerShell

Badlisted process makes network request

Detect Xworm Payload

Xworm

Xworm family

Malware Config

C2 Extraction:

107.172.44.153:6000

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3ed8d3644585/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3ed8d3644585e7a3c4e49ccb716e72950349d35144e912d7e9bc4b810abe62ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/34053/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample