MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70ef0ca420dfedb0204a12da7b0206647003a1296cc91f4ae9eb7c0d8d403812. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70ef0ca420dfedb0204a12da7b0206647003a1296cc91f4ae9eb7c0d8d403812
SHA3-384 hash: e045dee858876e1c4c8da876d640120969abe6d47829b767e7e5451fe032ec0a730c8920c1f8718f723b3f8a15edbcc6
SHA1 hash: 9fa899913bf90ab98d5a9234ef182f890d4f0d07
MD5 hash: 01dcbb8dc82e27abd4a0d5ab6d0df0f4
humanhash: muppet-river-asparagus-mountain
File name:ICICIPayment.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:199'719 bytes
First seen:2025-10-15 15:50:15 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 1536:Jq1pbZ97QFiufsOh656JKCYsZvFddM5Wbk+vMO2/CmJvJrxikoW6Ihts:OXGFdm5WrgCmJ/imphts
Threatray 2'271 similar samples on MalwareBazaar
TLSH T10D14C77BF3896DEB57BBE297A0CB27460808414F532402D89AD2FF57F54263ACAD9344
Magika batch
Reporter abuse_ch
Tags:bat xworm


Avatar
abuse_ch
XWorm C2:
83.147.243.110:1007

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
83.147.243.110:1007 https://threatfox.abuse.ch/ioc/1616091/

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QuarantineMessage (19).zip
Verdict:
Malicious activity
Analysis date:
2025-10-15 13:01:10 UTC
Tags:
arch-exec evasion remote xworm susp-powershell
Link:
https://app.any.run/tasks/25b2f92f-1e81-4418-9ded-396778c9bdaf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32949/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68efbb4d04e22ce9acda6f62
Tags:
obfuscate autorun xtreme shell
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
base64 evasive masquerade obfuscated powershell
Link:
https://www.filescan.io/uploads/68efc2dadf5cb32bf1eeb268/reports/a534eade-2b97-4a15-b7a0-9c6700f5fea1/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/70ef0ca420dfedb0204a12da7b0206647003a1296cc91f4ae9eb7c0d8d403812
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-10-15T13:12:00Z UTC
Last seen:
2025-10-17T07:21:00Z UTC
Hits:
~10
Detections:
Backdoor.Agent.TCP.C&C Backdoor.MSIL.XWorm.a Backdoor.MSIL.Crysan.d Trojan.Win32.Agent.sb Trojan.BAT.Agent.sb HEUR:Trojan.PowerShell.Tesre.sb Backdoor.MSIL.XWorm.b Trojan.PowerShell.AmsiBypass.sb PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Tesre.gen Backdoor.MSIL.Agent.sb
Link:
https://opentip.kaspersky.com/70ef0ca420dfedb0204a12da7b0206647003a1296cc91f4ae9eb7c0d8d403812/results?tab=lookup
Result
Threat name:
AsyncRAT, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1795916
Signature
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AsyncRAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1795916 Sample: ICICIPayment.bat Startdate: 15/10/2025 Architecture: WINDOWS Score: 100 59 ip-api.com 2->59 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 16 other signatures 2->71 10 cmd.exe 1 2->10         started        13 cmd.exe 1 2->13         started        15 cmd.exe 1 2->15         started        signatures3 process4 signatures5 83 Suspicious powershell command line found 10->83 17 cmd.exe 1 10->17         started        19 conhost.exe 10->19         started        21 cmd.exe 1 13->21         started        23 conhost.exe 13->23         started        25 cmd.exe 1 15->25         started        27 conhost.exe 15->27         started        process6 process7 29 cmd.exe 3 17->29         started        32 cmd.exe 2 21->32         started        34 cmd.exe 2 25->34         started        signatures8 85 Suspicious powershell command line found 29->85 36 powershell.exe 35 35 29->36         started        41 conhost.exe 29->41         started        43 powershell.exe 32->43         started        45 conhost.exe 32->45         started        47 powershell.exe 34->47         started        49 conhost.exe 34->49         started        process9 dnsIp10 61 83.147.243.110, 1007, 49691 BAHARNETIR Iran (ISLAMIC Republic Of) 36->61 63 ip-api.com 208.95.112.1, 49690, 80 TUT-ASUS United States 36->63 53 C:\Users\user\AppData\Roaming\...\3924.bat, ASCII 36->53 dropped 73 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->73 75 Query firmware table information (likely to detect VMs) 36->75 77 Drops script or batch files to the startup folder 36->77 81 3 other signatures 36->81 51 wermgr.exe 14 36->51         started        55 C:\Users\user\AppData\Roaming\...\c17f.bat, ASCII 43->55 dropped 79 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->79 57 C:\Users\user\AppData\Roaming\...\c557.bat, ASCII 47->57 dropped file11 signatures12 process13
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/70ef0ca420dfedb0204a12da7b0206647003a1296cc91f4ae9eb7c0d8d403812
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70ef0ca420dfedb0204a12da7b0206647003a1296cc91f4ae9eb7c0d8d403812/
Verdict:
Malicious
Threat:
Backdoor.MSIL.XWorm
Link:
https://tip.neiki.dev/file/70ef0ca420dfedb0204a12da7b0206647003a1296cc91f4ae9eb7c0d8d403812
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=odxqzjba37w3aickclnhwaqgmryahijjnter6sxj5n6a3dkahaja._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
153c5641badc8df2740041f4dcbceb18fed6560af9fb704776304c96c9974bcf
XWorm
60a6d2666a2fcff382041c20273f99cc13f1998d11522fb772eac2aeed83f37c
XWorm
677536b7f1eb664ef689a5b418a6a38f75bac30e1f4a4b8d7e9e44a3888f0027
XWorm
ae4c0ef46c195eca51369358673a9d8efed3fb69f92bce3d0763eec59e0d9bae
XWorm
b57aff2eb48e3121344494e3e4d60ce0d357c48a2a35806e9024fcac9202ebcd
XWorm
dd571605c43f67c667cf409ddffd8fadbe022d45239f7aa61e584f0c2cd274f4
XWorm
dd5f4cf43236b8b7c89369b8a42cf5917f41c88a5d3d785d596058f2b203ac72
XWorm
ec145d51cb891b1e9a1e31088c0803371b5804baee1e766016b0a6f6e471f385
XWorm
+ 2'261 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/251015-tabb5avps2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Drops startup file
Badlisted process makes network request
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
prakashjadha.ddnsgeek.com:1007
83.147.243.110:1007
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/70ef0ca420df/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70ef0ca420dfedb0204a12da7b0206647003a1296cc91f4ae9eb7c0d8d403812

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/32949/

Comments