MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 738b83bb381cf4a5b9b3548200938722d272d6209aa3a6290837a74b9d5da389. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	738b83bb381cf4a5b9b3548200938722d272d6209aa3a6290837a74b9d5da389
SHA3-384 hash:	b623af7f9364236fecb2ec6207f36e52aab5c0145322ade56d6b4878f193f46f2a94efafe164d0bfa8e71633ee408b3d
SHA1 hash:	606ca8b0cc09e2e32d1a413f489e9ca5f83038ef
MD5 hash:	c5dbcc2dbc4c6c5a55316bf6b69e80cd
humanhash:	quebec-vegan-timing-echo
File name:	Zapytanie_ofertowe_183200632934006_APSTEEL (4).bat
Download:	download sample
Signature	XWorm Create hunting rule
File size:	4'053 bytes
First seen:	2025-10-01 11:11:15 UTC
Last seen:	2025-10-02 08:59:19 UTC
File type:	bat
MIME type:	text/plain
ssdeep	48:C0sMiP8S8UiE2mt12Eg/jmgPvMEsLy3mH2oZNNfd6VoWlDmlZgfZkBQBSFt4a:LHu8Vvmf2EgLLM63+2ohEaZgfZIU9a
Threatray	2'466 similar samples on MalwareBazaar
TLSH	T17681400D110B1E1E8ABC0251FD7C5D72A7E6F577F725F18CA13AAACEB828328039244D
Magika	txt
Reporter	JAMESWT_WT
Tags:	bat xworm

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Zapytanie_ofertowe_183200632934006_APSTEEL (4).bat

Verdict:

Malicious activity

Analysis date:

2025-10-01 11:13:38 UTC

Tags:

susp-powershell payload loader reverseloader remote xworm

Link:

https://app.any.run/tasks/570689ba-fb1c-4242-9b07-e9e6b4be6934

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/29690/

Detection(s):

no reply from clamd

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68dd0c7240b7da0b4eb92ff2

Tags:

obfuscate xtreme shell

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

base64 evasive obfuscated powershell

Link:

https://www.filescan.io/uploads/68dd0c9674e5a289899c1956/reports/d2492e98-f899-4c7b-81d6-1cae7b2b1654/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/738b83bb381cf4a5b9b3548200938722d272d6209aa3a6290837a74b9d5da389

Verdict:

Unknown

File Type:

text

First seen:

2025-10-01T00:28:00Z UTC

Last seen:

2025-10-02T02:29:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/738b83bb381cf4a5b9b3548200938722d272d6209aa3a6290837a74b9d5da389/results?tab=lookup

Score:

26%

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/738b83bb381cf4a5b9b3548200938722d272d6209aa3a6290837a74b9d5da389

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/738b83bb381cf4a5b9b3548200938722d272d6209aa3a6290837a74b9d5da389/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2025-10-01 09:10:57 UTC

File Type:

Text

AV detection:

5 of 38 (13.16%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oofyhozydt2klontksbabe4heljhfvratkr2mkiig6tuxhk5uoeq._file

Verdict:

malicious

Label(s):

xworm

katzstealer

XWorm

3b39da6b761aebfac6324138212fd5a6eeb89a50ef1e7b8f8a813c07ac920062

XWorm

41cdbafba89bad77d1784458e5c226eb405ca9f46bb65a38031c48a97e6eef84

XWorm

45ba32fcb65201e7cae3d05f77178e08fd41380624edd777e355c63ac1d126b7

XWorm

699b91f69cd0d059794175c55675ad931a2eaa18cb713523265429da6b021633

XWorm

error

XWorm

f03cc966d2abcece5e21a8c90cb2ae5472971202377c59187821f3188012d992

XWorm

+ 2'456 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm discovery execution rat trojan

Link:

https://tria.ge/reports/251001-naqtxsdr9s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Detect Xworm Payload

Xworm

Xworm family

Malware Config

C2 Extraction:

participationcontrol.duckdns.org:9870
propracontrolly.duckdns.org:9870
masterforshizllett.giize.com :9870

Dropper Extraction:

https://safecarecpacenter.com/f/s2lPtuKkLywUwz_nxs_Qe9_HgyuNHSFiDqhqfNTJWoDoQoDXn6Fr4rl3yEQ8PYmIvMsBm4_7oKN-yRtwOQUPnFc8gm02p9RG5U8_QhGQpgL37jT6YjasVJmzcowDGvTnoE5X0INfPfjZifriyoDQyJBQetDLM8TQ0KMyzhj8dNW02Zaqv8LXnTUKlspBRs5G8CcqtAGZNL4/filename

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/738b83bb381cf4a5b9b3548200938722d272d6209aa3a6290837a74b9d5da389

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Base64_Encoded_Powershell_Directives Create hunting rule

Rule name:	obfuscated_BAT Create hunting rule
Author:	@warz_s
Description:	Identifies obfuscated BAT files
Reference:	https://github.com/secwarz/YaraRules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/29690/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample