MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 460e7320f7296e8f2b1fd0e980b0c2b2d3a1f6ae6376b4f8bde7b33f696bd472. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	460e7320f7296e8f2b1fd0e980b0c2b2d3a1f6ae6376b4f8bde7b33f696bd472
SHA3-384 hash:	359013b01ef868d414810112d4908314e13e245b0904aa5f39e9f6914ca0edc3f771c1ca6839ebdc111a2442b00c5152
SHA1 hash:	cd9c4bb24d3b1203919a1da5fc824c6276b7698d
MD5 hash:	1f4ffa3e233faf682dc7a8d3706b1161
humanhash:	ceiling-fourteen-kitten-king
File name:	bat.bat
Download:	download sample
Signature	XWorm Create hunting rule
File size:	378'605 bytes
First seen:	2025-05-28 21:29:25 UTC
Last seen:	Never
File type:	bat
MIME type:	text/x-msdos-batch
ssdeep	6144:/RgkT67nE9VH7GREQyK2MgZgiZWXZEPoqqd9ueUdqEJd1oZeut4SpXXn:/RgkTKEDCqx7dZgjpRqGGJPoxaSpXX
Threatray	31 similar samples on MalwareBazaar
TLSH	T13C84EFAA1FEC97DBAE75D28B78847B3717488D454789064B2CCA6D0172B170EFFC9A00
Magika	txt
Reporter	BastianHein
Tags:	bat xworm

Intelligence

File Origin

# of uploads :

# of downloads :

120

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1eebc8b1-6245-4384-b7fa-4140e83bb8fb

Verdict:

No threats detected

Analysis date:

2025-05-28 11:35:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1eebc8b1-6245-4384-b7fa-4140e83bb8fb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/6083/

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6836f4f7668438e362e7a8ca

Tags:

n/a

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm base64 cmd evasive explorer fingerprint lolbin msconfig obfuscated packed powershell reconnaissance

Link:

https://www.filescan.io/uploads/68378090fd02ed5e058d3f2e/reports/eeac4904-af37-4949-aefb-6f56e1e56c4c/overview

Verdict:

Malicious

Labled as:

BAT/Kryptik.Y trojan

Link:

https://www.hybrid-analysis.com/sample/460e7320f7296e8f2b1fd0e980b0c2b2d3a1f6ae6376b4f8bde7b33f696bd472

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1701108

Signature

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Creates a thread in another existing process (thread injection)

Creates autostart registry keys with suspicious names

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Powershell drops PE file

Protects its processes via BreakOnTermination flag

Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)

Queries temperature or sensor information (via WMI often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious powershell command line found

System process connects to network (likely due to code injection or exploit)

Writes to foreign memory regions

Yara detected Powershell decode and execute

Yara detected Powershell decrypt and execute

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/460e7320f7296e8f2b1fd0e980b0c2b2d3a1f6ae6376b4f8bde7b33f696bd472

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/460e7320f7296e8f2b1fd0e980b0c2b2d3a1f6ae6376b4f8bde7b33f696bd472/

Threat name:

Script-BAT.Trojan.Alien

Status:

Malicious

First seen:

2025-05-28 11:35:20 UTC

File Type:

Text

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=iyhhgihxffxi6ky72duybmgcwlj2d5vomn3lj6f546zt62ll2rza._file

Result

Malware family:

xworm

Score:

10/10

Tags:

family:donutloader family:xworm defense_evasion execution loader persistence rat trojan

Link:

https://tria.ge/reports/250528-1cynrsttc1/

Behaviour

Modifies data under HKEY_USERS

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Drops file in System32 directory

Adds Run key to start application

Enumerates connected drives

Executes dropped EXE

Indicator Removal: Clear Windows Event Logs

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Detect Xworm Payload

Detects DonutLoader

DonutLoader

Donutloader family

Xworm

Xworm family

Malware Config

C2 Extraction:

proportmapper04-35925.portmap.io:35925

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/460e7320f7296e8f2b1fd0e980b0c2b2d3a1f6ae6376b4f8bde7b33f696bd472

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/6083/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample