MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cf1c68d259035f265168771686ac382616e240c82e0c449589cd66dc181549e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cf1c68d259035f265168771686ac382616e240c82e0c449589cd66dc181549e
SHA3-384 hash: 279646ca6a02a70e07c280f42f6bdf947d55ca23b5b5f4ee7b77d43c5b094bfe40183b2ad59e7fb630fd8adbf3a9ea76
SHA1 hash: 4843cfecd30ddc874595eeb6d306843d35aec123
MD5 hash: 73a736420e050c2f897fc8973de1576e
humanhash: one-single-six-william
File name:Overdue_Invoice.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:124'385 bytes
First seen:2025-10-30 22:05:33 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 1536:CHvyjkG77Fr678hsxpERnJrjhq2AC5lBJW34xXzh9rBMahZkitlueQ6jGM4fSOj1:0yjkM7FrODYRnmeM4xDh9reiPEfy3vk
Threatray 47 similar samples on MalwareBazaar
TLSH T1ABC3A339C7BCBFE0C36D31F0DD7A3A0A9339D642A76E3BD8B8B114542850147AB1652B
Magika batch
Reporter smica83
Tags:bat xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Overdue_Invoice.bat
Verdict:
Malicious activity
Analysis date:
2025-10-30 22:08:24 UTC
Tags:
auto-startup evasion susp-powershell remote xworm
Link:
https://app.any.run/tasks/da0b898b-ace5-4091-81c0-926d221164d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34858/
Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6903e1539942f1282ecab554
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching cmd.exe command interpreter
Creating a file
Launching a process
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Creating a window
Setting a global event handler for the keyboard
Query of malicious DNS domain
Enabling autorun by creating a file
Verdict:
Suspicious
Labled as:
BAT/TrojanDropper.Agent
Link:
https://www.hybrid-analysis.com/sample/6cf1c68d259035f265168771686ac382616e240c82e0c449589cd66dc181549e
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-10-30T19:27:00Z UTC
Last seen:
2025-10-31T22:38:00Z UTC
Hits:
~10
Detections:
Backdoor.MSIL.XWorm.b Backdoor.MSIL.XWorm.a Backdoor.MSIL.Crysan.d Trojan.PowerShell.AmsiBypass.sb PDM:Trojan.Win32.Generic Trojan.BAT.Agent.sb HEUR:Trojan.PowerShell.Tesre.sb HEUR:Trojan.BAT.Tesre.gen
Link:
https://opentip.kaspersky.com/6cf1c68d259035f265168771686ac382616e240c82e0c449589cd66dc181549e/results?tab=lookup
Result
Threat name:
AsyncRAT, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1805469
Signature
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AsyncRAT
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1805469 Sample: Overdue_Invoice.bat Startdate: 30/10/2025 Architecture: WINDOWS Score: 100 101 ip-api.com 2->101 105 Suricata IDS alerts for network traffic 2->105 107 Found malware configuration 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 18 other signatures 2->111 10 cmd.exe 1 2->10         started        13 cmd.exe 1 2->13         started        15 cmd.exe 2->15         started        17 5 other processes 2->17 signatures3 process4 dnsIp5 127 Suspicious powershell command line found 10->127 20 cmd.exe 1 10->20         started        22 conhost.exe 10->22         started        25 cmd.exe 1 13->25         started        27 conhost.exe 13->27         started        29 cmd.exe 15->29         started        31 conhost.exe 15->31         started        99 127.0.0.1 unknown unknown 17->99 33 cmd.exe 17->33         started        35 cmd.exe 17->35         started        37 6 other processes 17->37 signatures6 process7 signatures8 39 cmd.exe 3 20->39         started        113 Suspicious powershell command line found 22->113 42 cmd.exe 1 25->42         started        44 cmd.exe 29->44         started        46 cmd.exe 33->46         started        48 cmd.exe 35->48         started        50 cmd.exe 1 37->50         started        52 cmd.exe 37->52         started        process9 signatures10 115 Suspicious powershell command line found 39->115 54 powershell.exe 15 29 39->54         started        59 conhost.exe 39->59         started        61 powershell.exe 42->61         started        63 conhost.exe 42->63         started        65 2 other processes 44->65 67 2 other processes 46->67 69 2 other processes 48->69 71 2 other processes 50->71 73 2 other processes 52->73 process11 dnsIp12 103 ip-api.com 208.95.112.1, 49720, 49733, 49736 TUT-ASUS United States 54->103 85 C:\Users\user\AppData\Roaming\...\0457.bat, ASCII 54->85 dropped 117 Drops script or batch files to the startup folder 54->117 119 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 54->119 121 Found suspicious powershell code related to unpacking or dynamic code loading 54->121 123 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 54->123 75 WerFault.exe 20 16 54->75         started        87 C:\Users\user\AppData\Roaming\...\aecc.bat, ASCII 61->87 dropped 125 Loading BitLocker PowerShell Module 61->125 77 WerFault.exe 61->77         started        89 C:\Users\user\AppData\Roaming\...\500b.bat, ASCII 65->89 dropped 79 WerFault.exe 65->79         started        91 C:\Users\user\AppData\Roaming\...\4674.bat, ASCII 67->91 dropped 81 WerFault.exe 67->81         started        93 C:\Users\user\AppData\Roaming\...\72a4.bat, ASCII 69->93 dropped 83 WerFault.exe 69->83         started        95 C:\Users\user\AppData\Roaming\...\4baf.bat, ASCII 71->95 dropped 97 C:\Users\user\AppData\Roaming\...\0936.bat, ASCII 73->97 dropped file13 signatures14 process15
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/6cf1c68d259035f265168771686ac382616e240c82e0c449589cd66dc181549e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6cf1c68d259035f265168771686ac382616e240c82e0c449589cd66dc181549e/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/6cf1c68d259035f265168771686ac382616e240c82e0c449589cd66dc181549e
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nty4ndjfsa27eziwq5ywq2wdqjqw4jamqlqmiskyttlg3qmbkspa._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
203d89bb4cc6f43407327ed2c132bbe394cb55f7ff3cd4f84038943df2e0ebf7
XWorm
4fc5db02f555a38fe3a0153e1f7d8261fc545a9ac7a2951a4558f5571b20531d
XWorm
581ccdedd0f1e52d4827a25038c0eeb4f3526cbcb430df2cb3f8607995805991
XWorm
99fa7aa6955981c6018c0da6d71164a00f53b13ae0aa78597aed99524aa7b40d
XWorm
b28e9143b0145815895234c4821a0ae599d81ac56dc9910658c010f5f1ae7b13
XWorm
bc4a510046a3fe5f115e3087cb40fd0789f0f0cec4eef02d9c0e6d4930753ed7
XWorm
e7c60c0cc05617a16a7178aec3e120731814d2f62810dbea204e16e5f39fb29c
XWorm
error
XWorm
f3da246accb9e31bdb4e51187dada28e4c71a927c56adea2333fb9625b1bf7f5
XWorm
+ 37 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/251030-1z1fwavldw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Drops startup file
Badlisted process makes network request
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
prakashjadha.ddnsgeek.com:1008
83.147.243.110:1008
pradeepprabhu705.duckdns.org:1008
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6cf1c68d2590/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6cf1c68d259035f265168771686ac382616e240c82e0c449589cd66dc181549e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34858/

Comments