MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4727b6657618f21325ac0e5b837f1b54cb0751bf97ec87796cbb06f6deabd014. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4727b6657618f21325ac0e5b837f1b54cb0751bf97ec87796cbb06f6deabd014
SHA3-384 hash: 01ee54b5ef946626f2f511fe02e4a1ad22d9a77bc509d04a27a21ab1962394dae16ccc07c0682cf3c26566e9bf2b81b9
SHA1 hash: a88e48edcc816b5b048f5408854c200e6b28c90d
MD5 hash: 7243336767406d7c724c6a41d6ef44f4
humanhash: eighteen-kansas-oregon-music
File name:MEGO-BAT.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:421 bytes
First seen:2026-03-18 08:49:27 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 12:wbYVJ4JF4do984CXLgyaIS1PKC2ALFyGHDfhHXQ1MnGHXbk1N:wq4j4doEXLw1PKC2kFHDV9n
Threatray 1'007 similar samples on MalwareBazaar
TLSH T19DE0AB14573A310F499A85A6880D91DAE69DE2D8133B7AF779C8BC8049402CA7AAF18C
Magika batch
Reporter abuse_ch
Tags:bat xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
BatchScript
Details
BatchScript
varying reportable information from embedded commands and any observed URLs
Link:
https://research.acce.ciphertechsolutions.com/results/e4a2efdc-5a75-4a1a-8c73-b7c0cbe342cf/
Malware family:
n/a
ID:
1
File name:
MEGO-BAT.bat
Verdict:
Malicious activity
Analysis date:
2026-03-18 08:51:05 UTC
Tags:
github auto-sch telegram auto-reg stealer rat xworm auto-startup remote python powershell pyinstaller
Link:
https://app.any.run/tasks/82008d34-3f1d-4d0e-a64a-de397b61b319

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57896/
Detection(s):
SecuriteInfo.com.Generic.PWSH.Downloader.D.4EDB2A59.22854.6694.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ba675693b644ca466b3b4c
Tags:
ransomware shell sage
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Connection attempt to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
alien base64 batch evasive lolbin obfuscated opendir persistence powershell schtasks
Link:
https://www.filescan.io/uploads/69ba67524ec2f522cc4d9884/reports/8eb4eacd-6990-49ec-9c9d-f0ff78d92e85/overview
Verdict:
Malicious
Labled as:
PWSH.Downloader.D.Generic
Link:
https://www.hybrid-analysis.com/sample/4727b6657618f21325ac0e5b837f1b54cb0751bf97ec87796cbb06f6deabd014
Verdict:
Malicious
File Type:
unix shell
Detections:
Trojan-Downloader.Agent.HTTP.C&C Trojan.Win32.Vimditator.sb Trojan.PowerShell.DefenderDisabler.sb HEUR:Backdoor.MSIL.XWorm.gen HEUR:Backdoor.MSIL.XClient.b Backdoor.MSIL.XWorm.a PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Alien.gen Trojan.Win32.Agent.sb Backdoor.MSIL.XWorm.b NetTool.PowerShellUA.HTTP.C&C NetTool.PowerShellGet.HTTP.C&C
Link:
https://opentip.kaspersky.com/4727b6657618f21325ac0e5b837f1b54cb0751bf97ec87796cbb06f6deabd014/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1885423
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Disable Windows Defender real time protection (registry)
Disable Windows Notification Center
Disable Windows Toast Notifications
Disables UAC (registry)
Found malware configuration
Found pyInstaller with non standard icon
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential Privilege Escalation using Task Scheduler highest RunLevel
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious PowerShell Commandlets - ProcessCreation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: PowerShell DownloadFile
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1885423 Sample: MEGO-BAT.bat Startdate: 18/03/2026 Architecture: WINDOWS Score: 100 88 raw.githubusercontent.com 2->88 90 ip-api.com 2->90 92 github.com 2->92 110 Suricata IDS alerts for network traffic 2->110 112 Found malware configuration 2->112 114 Malicious sample detected (through community Yara rule) 2->114 116 20 other signatures 2->116 10 cmd.exe 1 2->10         started        13 MEGO-BAT.exe 2->13         started        16 MEGO-BAT.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 140 Suspicious powershell command line found 10->140 142 Uses cmd line tools excessively to alter registry or file data 10->142 144 Tries to download and execute files (via powershell) 10->144 146 3 other signatures 10->146 20 powershell.exe 17 17 10->20         started        25 conhost.exe 10->25         started        70 C:\Users\user\AppData\Local\...\zlib1.dll, PE32+ 13->70 dropped 72 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 13->72 dropped 74 C:\Users\user\AppData\Local\...\tk86t.dll, PE32+ 13->74 dropped 84 25 other malicious files 13->84 dropped 27 MEGO-BAT.exe 13->27         started        76 C:\Users\user\AppData\Local\...\zlib1.dll, PE32+ 16->76 dropped 78 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 16->78 dropped 80 C:\Users\user\AppData\Local\...\tk86t.dll, PE32+ 16->80 dropped 86 25 other malicious files 16->86 dropped 29 MEGO-BAT.exe 16->29         started        82 C:\Users\user\AppData\...\Security.exe.log, CSV 18->82 dropped 31 WerFault.exe 18->31         started        signatures6 process7 dnsIp8 94 156.233.71.230, 49693, 49701, 80 IKGUL-26484US Seychelles 20->94 66 C:\Users\user\AppData\Local\...\MEGO-BAT.bat, DOS 20->66 dropped 136 Found suspicious powershell code related to unpacking or dynamic code loading 20->136 138 Powershell drops PE file 20->138 33 cmd.exe 2 20->33         started        68 C:\ProgramData\Microsoft\...\Report.wer, Unicode 31->68 dropped file9 signatures10 process11 signatures12 102 Suspicious powershell command line found 33->102 104 Uses cmd line tools excessively to alter registry or file data 33->104 106 Tries to download and execute files (via powershell) 33->106 108 Adds a directory exclusion to Windows Defender 33->108 36 MEGO-BAT.exe 33->36         started        40 Security.exe 33->40         started        43 powershell.exe 33->43         started        45 22 other processes 33->45 process13 dnsIp14 54 C:\Users\user\AppData\Local\...\zlib1.dll, PE32+ 36->54 dropped 56 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 36->56 dropped 58 C:\Users\user\AppData\Local\...\tk86t.dll, PE32+ 36->58 dropped 64 25 other malicious files 36->64 dropped 118 Multi AV Scanner detection for dropped file 36->118 120 Found pyInstaller with non standard icon 36->120 47 MEGO-BAT.exe 36->47         started        96 ip-api.com 208.95.112.1, 49704, 49721, 80 TUT-ASUS United States 40->96 122 Antivirus detection for dropped file 40->122 124 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 40->124 49 WerFault.exe 40->49         started        98 github.com 140.82.114.4, 443, 49702 GITHUBUS United States 43->98 100 raw.githubusercontent.com 185.199.109.133, 443, 49703 FASTLYUS Netherlands 43->100 60 C:\ProgramData\WinGuard\Security.exe, PE32 43->60 dropped 126 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->126 62 C:\ProgramData\WinGuard\MEGO-BAT.exe, PE32+ 45->62 dropped 128 Creates multiple autostart registry keys 45->128 130 Disables UAC (registry) 45->130 132 Disable Windows Defender real time protection (registry) 45->132 134 3 other signatures 45->134 file15 signatures16 process17 file18 52 C:\ProgramData\Microsoft\...\Report.wer, Unicode 49->52 dropped
Score:
83%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4727b6657618f21325ac0e5b837f1b54cb0751bf97ec87796cbb06f6deabd014
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4727b6657618f21325ac0e5b837f1b54cb0751bf97ec87796cbb06f6deabd014/
Verdict:
Malicious
Threat:
Backdoor.MSIL.XWorm
Link:
https://tip.neiki.dev/file/4727b6657618f21325ac0e5b837f1b54cb0751bf97ec87796cbb06f6deabd014
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-03-17 20:23:28 UTC
File Type:
Text (Batch)
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i4t3mzlwddzbgjnmbznyg7y3ktfqoun7s7wio6lmxmdpnxvl2aka._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
0661369bcc84ed31ddf3effe5165105748fa42b9d0bbfef276ed606a3093c417
XWorm
18e12d14af3a56c13b89d8df3c0f8e808fbdfd7da4e47cf63875cd2500a1f165
XWorm
22340b89f926ff263bd94dbf8966b71afb1bb6c5618ecb593bc1e7b4566ece1a
XWorm
639e0c6a4c6a4864c73ed5836bc9578cb5272d94d0b133d73b339cfcf8eced5f
XWorm
97ec87ee7a7524fca040dba89ded6cb931124268b6ad6ba1e49bfdda9d39e567
XWorm
a1ca3ec0f2943796aae7d3476c7a88c763daf0d5fe700f40978aea892c4820fb
XWorm
a5b6b39303894624a2a833522ccec4085eedb74667fc8438a97b1ea50417b6b7
XWorm
error
XWorm
+ 997 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion evasion execution persistence pyinstaller rat trojan
Link:
https://tria.ge/reports/260318-krt15aew2x/
Behaviour
Modifies registry class
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Detects Pyinstaller
Enumerates physical storage devices
Adds Run key to start application
Contacts third-party web service commonly abused for C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Detect Xworm Payload
Modifies Windows Defender DisableAntiSpyware settings
Modifies Windows Defender Real-time Protection settings
UAC bypass
Xworm
Xworm family
Malware Config
C2 Extraction:
slashxx.duckdns.org:4040
Dropper Extraction:
http://156.233.71.230/EN/Exe/DBopwb/MEGO-BAT.ico
http://156.233.71.230/EN/Exe/DBopwb/MEGO-BAT.exe
https://github.com/moyousry95/slash2/raw/refs/heads/main/Security.exe
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4727b6657618/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4727b6657618f21325ac0e5b837f1b54cb0751bf97ec87796cbb06f6deabd014

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Batch (bat) bat 4727b6657618f21325ac0e5b837f1b54cb0751bf97ec87796cbb06f6deabd014

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/57896/
  
URLhaus
https://urlhaus.abuse.ch/url/3798111/
  
Delivery method
Distributed via web download

Comments