MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 551b0a6bc3aa19879c1936a0d91a73e44e57dffa057a3ac90bf8b009e840e516. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 551b0a6bc3aa19879c1936a0d91a73e44e57dffa057a3ac90bf8b009e840e516
SHA3-384 hash: 7404d773907e9d48eb9f3b09b2bba0b15057bd6e5593c4a7fcec89425c8c01145b86366468cc229d7b0c3e80c0dc4972
SHA1 hash: 5ad7c7a50bdcaea3074cc50428ca5cae23fc42a1
MD5 hash: f0dde7b47ca66cafa71fa3124cd083f4
humanhash: table-five-pizza-bakerloo
File name:f0dde7b47ca66cafa71fa3124cd083f4.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:59'061 bytes
First seen:2025-02-26 08:57:40 UTC
Last seen:2025-03-13 10:48:30 UTC
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 768:69giH97PykCJVGE27HeweVK93yvUaS6L4rLoSpEe147yUj4T1V0QtPTjK6:69B4kCKX7Ne8wyLI7l8T1qAbn
Threatray 1'932 similar samples on MalwareBazaar
TLSH T1CD43C00668AAFC1527A5C3372CA3BB2F877D1DD51296C3C06197225BA4D3158DBC7B8C
Magika powershell
Reporter abuse_ch
Tags:45-88-186-38 bat xworm

Intelligence

File Origin
# of uploads :
6
# of downloads :
87
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f0dde7b47ca66cafa71fa3124cd083f4.bat
Verdict:
Malicious activity
Analysis date:
2025-02-26 10:08:30 UTC
Tags:
remote xworm
Link:
https://app.any.run/tasks/c7c1d9e1-eea8-4a25-8476-652b07fd603c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BV.Agent-BZW.9775.32580.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67bed7fda0fd713c335ce99b
Tags:
obfuscate xtreme shell
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/67bed7ae3afc3763bec76bfe/reports/ac70d45b-f36a-4b1e-9ccc-eee5c06bf058/overview
Verdict:
Suspicious
Labled as:
PowerShell/Kryptik.H trojan
Link:
https://www.hybrid-analysis.com/sample/551b0a6bc3aa19879c1936a0d91a73e44e57dffa057a3ac90bf8b009e840e516
Result
Verdict:
SUSPICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1624469
Signature
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell decrypt and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1624469 Sample: VhdbvkjKmO.bat Startdate: 26/02/2025 Architecture: WINDOWS Score: 100 63 licensing.tools 2->63 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 18 other signatures 2->79 12 cmd.exe 1 2->12         started        15 wscript.exe 1 2->15         started        signatures3 process4 signatures5 93 Suspicious powershell command line found 12->93 95 Wscript starts Powershell (via cmd or directly) 12->95 97 Bypasses PowerShell execution policy 12->97 17 powershell.exe 17 21 12->17         started        22 conhost.exe 12->22         started        99 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->99 101 Suspicious execution chain found 15->101 process6 dnsIp7 61 licensing.tools 104.21.74.243, 443, 49710 CLOUDFLARENETUS United States 17->61 57 C:\Users\user\AppData\...\ecm0i2vzpwd8.vbs, ASCII 17->57 dropped 59 C:\Users\user\AppData\...\ecm0i2vzpwd8.bat, DOS 17->59 dropped 81 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->81 83 Suspicious powershell command line found 17->83 85 Adds a directory exclusion to Windows Defender 17->85 24 wscript.exe 1 17->24         started        27 powershell.exe 37 17->27         started        29 powershell.exe 23 17->29         started        31 ReAgentc.exe 3 17->31         started        file8 signatures9 process10 signatures11 87 Wscript starts Powershell (via cmd or directly) 24->87 33 cmd.exe 24->33         started        89 Loading BitLocker PowerShell Module 27->89 36 conhost.exe 27->36         started        38 conhost.exe 29->38         started        40 conhost.exe 31->40         started        process12 signatures13 69 Suspicious powershell command line found 33->69 71 Wscript starts Powershell (via cmd or directly) 33->71 42 powershell.exe 33->42         started        46 conhost.exe 33->46         started        process14 dnsIp15 65 45.88.186.38, 49823, 7232 ANONYMIZEEpikNetworkCH Netherlands 42->65 91 Adds a directory exclusion to Windows Defender 42->91 48 powershell.exe 42->48         started        51 ReAgentc.exe 42->51         started        signatures16 process17 signatures18 67 Loading BitLocker PowerShell Module 48->67 53 conhost.exe 48->53         started        55 conhost.exe 51->55         started        process19
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/551b0a6bc3aa19879c1936a0d91a73e44e57dffa057a3ac90bf8b009e840e516
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/551b0a6bc3aa19879c1936a0d91a73e44e57dffa057a3ac90bf8b009e840e516/
Threat name:
Script-BAT.Backdoor.Xworm
Create hunting rule
Status:
Suspicious
First seen:
2025-02-26 09:07:15 UTC
File Type:
Text (PowerShell)
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kunqu26dvimyphazg2qnsgtt4rhfpx72av5dvsil7cyat2ca4ula._file
Verdict:
malicious
Label(s):
unknown_loader_040
Create hunting rule
xworm
Create hunting rule
Similar samples:
2a8290c18d10fa8a7e99575855b9fb8e734ea92b1aa7dce9840282c2657ba08c
XWorm
3e725d0efe588ac45c5bfa6aee1b6d5e75b65aa3a301e274c5e8e825ac390b7e
XWorm
497f32eb65c30742069ce49a41270eab82d3a5cd1e36958e3608304f53507a0f
XWorm
53a2f686422f9f71b69d3a9699661c96dc1375d490ea188d5141bb1e8ae89029
XWorm
80a21952b87d83eb419768268b334364ecab48dbb9cbe55b967ba9636e512cab
XWorm
95bd50b1c849b16159f239b176e9c48d97bc7d841441829ec974997a93cb4c1e
XWorm
d0ef84c36715bc834f68415f2b16ca2e8088141a83231f27c4a7d6285d4b6d1a
XWorm
e0136c60554112e94e8ec739c2a19754e9f844d3979a286b17e0e79fff275993
XWorm
error
XWorm
fbb6e25ede47737ad9d540192a46117ce42c6e24c7ce60d027e36ff49cba8213
XWorm
+ 1'922 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/250226-kw98xatjx7/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
45.88.186.38:7232
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/551b0a6bc3aa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/551b0a6bc3aa19879c1936a0d91a73e44e57dffa057a3ac90bf8b009e840e516

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Batch (bat) bat 551b0a6bc3aa19879c1936a0d91a73e44e57dffa057a3ac90bf8b009e840e516

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3452863/
  
Delivery method
Distributed via web download

Comments