MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64aed0731939b7efb3032ad834d794151c8821e3afb7af034bd70236c71feb3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64aed0731939b7efb3032ad834d794151c8821e3afb7af034bd70236c71feb3c
SHA3-384 hash: 36ef99b7985ea0bb3bb5371c1c24af58b3b30dbe3ef431771a489f89738e4ea4bb2f6205b00e6c5f6daaaf961df42537
SHA1 hash: 48f8f46e4b1d49deb5d0bab8a25befc11d0c1ca2
MD5 hash: 9d0dffd34d742cf7979ff01ba1b8030c
humanhash: bakerloo-cardinal-twelve-oregon
File name:RBCDk.ps1
Download: download sample
File size:41'644 bytes
First seen:2026-01-26 08:32:15 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 768:GjJOtzkyqyihfffoEgw7OFPhvtM0h/Osp4z2/fbLAEj9xN4Fy:Ym5ihfffMw7OjvtMGLAA9xf
TLSH T1BF134B335923FDD1B77E2D84F9503D511C59782B87A8D2B8BBC8095E34B24A4DE1ACB4
Magika txt
Reporter JAMESWT_WT
Tags:21-tcp-vip-cpolar-cn ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
27
Origin country :
IT IT
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697726a66fa3eed1652f0437
Tags:
virus xworm msil
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 obfuscated powershell reconnaissance xworm
Link:
https://www.filescan.io/uploads/6977269f5db9ae477091e51a/reports/451fb19b-321b-4f3b-98a9-14c2f8aeeef8/overview
Verdict:
Malicious
Labled as:
Trojan_MSIL_XWorm_C_MTB
Link:
https://www.hybrid-analysis.com/sample/64aed0731939b7efb3032ad834d794151c8821e3afb7af034bd70236c71feb3c
Result
Gathering data
Verdict:
Malicious
File Type:
text
First seen:
2026-01-24T19:10:00Z UTC
Last seen:
2026-01-25T17:25:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.MSIL.PowerShell.gen
Link:
https://opentip.kaspersky.com/64aed0731939b7efb3032ad834d794151c8821e3afb7af034bd70236c71feb3c/results?tab=lookup
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/64aed0731939b7efb3032ad834d794151c8821e3afb7af034bd70236c71feb3c
Verdict:
XWorm
YARA:
1 match(es)
Tags:
.Net Base64 Block Base64 Payload Contains Base64 Block Executable Managed .NET PE (Portable Executable) PE File Layout RAT SOS: 0.24 XWorm
Malware Config
C2 Extraction:
CNC: 21.tcp.vip.cpolar.cn
PORT: 12208
Link:
https://app.malva.re/file/9d0dffd34d742cf7979ff01ba1b8030c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64aed0731939b7efb3032ad834d794151c8821e3afb7af034bd70236c71feb3c/
Verdict:
Malicious
Threat:
Trojan.MSIL.PowerShell
Link:
https://tip.neiki.dev/file/64aed0731939b7efb3032ad834d794151c8821e3afb7af034bd70236c71feb3c
Threat name:
ByteCode-MSIL.Trojan.XWorm
Create hunting rule
Status:
Malicious
First seen:
2026-01-25 12:50:21 UTC
File Type:
Text
AV detection:
15 of 36 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=msxna4yzhg367mydflmdjv4ucuoiqipdv6326a2l24bdnry75m6a._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
execution
Link:
https://tria.ge/reports/260126-kfj2sag15d/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PowerShell (PS) ps1 64aed0731939b7efb3032ad834d794151c8821e3afb7af034bd70236c71feb3c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3764067/
  
Delivery method
Distributed via web download

Comments