MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f66d285b90dacd2a151476002d0448e556ce02f2ba263bfbd468bae9c444299. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	5f66d285b90dacd2a151476002d0448e556ce02f2ba263bfbd468bae9c444299
SHA3-384 hash:	6fa7ae7b60857b008f8aef1e55aa0cf39b7915b30558281fc68a54ee8318aac139c550be5b8e62a49e160c0451a9231b
SHA1 hash:	148027e2fafa9482fec6e5869e7c5e448580c26e
MD5 hash:	a755d2eb0b02dbb407d446d262e4ca8b
humanhash:	one-south-oklahoma-texas
File name:	2.bat
Download:	download sample
Signature	XWorm Alert Create hunting rule
File size:	37 bytes
First seen:	2025-05-28 21:29:11 UTC
Last seen:	Never
File type:	bat
MIME type:	text/plain
ssdeep	3:VSJJFHPFV/mLXNw5T:s7Gi5T
Threatray	309 similar samples on MalwareBazaar
TLSH	TNULL
Magika	batch
Reporter	BastianHein
Tags:	bat xworm

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

122

Origin country :

CL

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

2.bat

Verdict:

Malicious activity

Analysis date:

2025-05-28 21:48:11 UTC

Tags:

auto-sch pastebin auto-reg auto-startup xworm

Link:

https://app.any.run/tasks/62044c6c-329c-4895-a8c7-70c5d6740989

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/6081/

CyberFortress Malicious

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68378241668438e362e7df79

Tags:

asyncrat autorun emotet cobalt

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

base64 dropper evasive powershell powershell svchost.exe

Link:

https://www.filescan.io/uploads/68378033171e01f9592ff2cd/reports/429afbeb-23b1-441d-b364-d2fae6b56750/overview

Hybrid Analysis Unknown

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/5f66d285b90dacd2a151476002d0448e556ce02f2ba263bfbd468bae9c444299

Joe Sandbox malicious

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1701095

Signature

Bypasses PowerShell execution policy

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: PowerShell Download and Execution Cradles

Sigma detected: Suspicious Invoke-WebRequest Execution

Suspicious powershell command line found

Yara detected Powershell decode and execute

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Benign

Score:

3%

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/5f66d285b90dacd2a151476002d0448e556ce02f2ba263bfbd468bae9c444299

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5f66d285b90dacd2a151476002d0448e556ce02f2ba263bfbd468bae9c444299/

Threatray xworm r77

Verdict:

malicious

Label(s):

xworm

Alert

Create hunting rule

r77

Alert

Create hunting rule

Similar samples:

2aa37e753ce1273f6ee4968bec7e2381b79a85ffbd1ee3da1fe9b4c1ea3ec4cd

XWorm

372618e3d38fff25fcfbb51f9144b0c9493edf8de00684bf218b9d8b3d37dc25

XWorm

3db6003aed5663530344f627592d7071efcece6ab608d114cd219d5b19f389a5

XWorm

9d08e5e62b409ef1ccd05c7996eb5432e4a36f55642cb7441d153909e823f144

XWorm

d8489d165b0f0912f45364a9e10ddbe292b7ed32afa6c6c2e6d86f89fb80be43

XWorm

error

XWorm

+ 299 additional samples on MalwareBazaar

Hatching Triage xworm

Result

Malware family:

xworm

Alert

Create hunting rule

Score:

  10/10

Tags:

family:xworm defense_evasion execution persistence rat trojan

Link:

https://tria.ge/reports/250528-1b3lbstlz7/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Drops file in System32 directory

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

Checks BIOS information in registry

Checks computer location settings

Drops startup file

Executes dropped EXE

Indicator Removal: Clear Windows Event Logs

Blocklisted process makes network request

Sets service image path in registry

Detect Xworm Payload

Xworm

Xworm family

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5f66d285b90dacd2a151476002d0448e556ce02f2ba263bfbd468bae9c444299

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/6081/