MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78e42dc2fe1d89f120a7c41dc184bf8e5fe6fba98b21eeb08fe4e1be8143b3e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78e42dc2fe1d89f120a7c41dc184bf8e5fe6fba98b21eeb08fe4e1be8143b3e2
SHA3-384 hash: acb64cf67501a548112e99d1c447e648fe2aa9e534c4bf0e75094d5b158d48cd468b933087bbb453d74fe19389010bd7
SHA1 hash: 5884b5d56400fbd2fb0bdbfc5d1d9539a82b44b5
MD5 hash: 089edbced446bd801d4abf83b95776c6
humanhash: uranus-colorado-carbon-oregon
File name:Request for Quote ENQ-RESB-PMB-PROD060-1069-26.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:288'876 bytes
First seen:2026-01-12 08:22:10 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 6144:Tk+jWcXACUrZZb4uuqQ7BXuPx68vBz6eFyJIC8g85AbCEhyJg7FMSYwPTSP5saz0:Tpj/XCZZb4ZqQEx6aBzBSfBMSrTSP5sh
Threatray 2'293 similar samples on MalwareBazaar
TLSH T1F754DDF33586B5D0CDAEE65F865F8768732E2282FB534189035F0E448B2794E7BC458A
Magika batch
Reporter smica83
Tags:bat HUN xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_78e42dc2fe1d89f120a7c41dc184bf8e5fe6fba98b21eeb08fe4e1be8143b3e2.txt
Verdict:
Malicious activity
Analysis date:
2026-01-12 08:24:30 UTC
Tags:
auto-reg susp-powershell
Link:
https://app.any.run/tasks/9cb26731-ec37-4d72-ae37-b408802fd132

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48583/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6964af3aa3ed2a87ae3e7b56
Tags:
dropper emotet shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching cmd.exe command interpreter
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Changing the Zone.Identifier stream
Creating a file
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
DNS request
Connection attempt
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
attrib base64 cmd lolbin obfuscated powershell
Link:
https://www.filescan.io/uploads/6964af3d30368802bb815527/reports/cceebb3e-ffa5-47e8-8c53-388b33a657eb/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/78e42dc2fe1d89f120a7c41dc184bf8e5fe6fba98b21eeb08fe4e1be8143b3e2
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-01-12T00:56:00Z UTC
Last seen:
2026-01-13T21:04:00Z UTC
Hits:
~100
Detections:
Backdoor.Agent.TCP.C&C Backdoor.MSIL.XWorm.c Trojan-Dropper.Win32.Injector.sb Trojan.Win32.Shellcode.sb HEUR:Backdoor.MSIL.Agent.gen Backdoor.MSIL.Cardinal.sb HackTool.PowerShell.AmsiBypass.sb Trojan.Win32.Agent.sb HEUR:Trojan.Script.Generic Backdoor.MSIL.XWorm.b Trojan.PowerShell.Cobalt.sb PDM:Trojan.Win32.Generic Backdoor.Win32.Androm Backdoor.MSIL.XWorm.a Backdoor.MSIL.Agent.sb Trojan.Win32.HTA.a HEUR:Trojan.BAT.Cobalt.gen
Link:
https://opentip.kaspersky.com/78e42dc2fe1d89f120a7c41dc184bf8e5fe6fba98b21eeb08fe4e1be8143b3e2/results?tab=lookup
Result
Threat name:
DonutLoader, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1848815
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Unusual module load detection (module proxying)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected DonutLoader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1848815 Sample: Request for Quote ENQ-RESB-... Startdate: 12/01/2026 Architecture: WINDOWS Score: 100 79 dal-business-20.duckdns.org 2->79 89 Suricata IDS alerts for network traffic 2->89 91 Found malware configuration 2->91 93 Malicious sample detected (through community Yara rule) 2->93 97 12 other signatures 2->97 12 cmd.exe 1 2->12         started        15 cmd.exe 1 2->15         started        signatures3 95 Uses dynamic DNS services 79->95 process4 signatures5 105 Suspicious powershell command line found 12->105 107 Uses cmd line tools excessively to alter registry or file data 12->107 109 Encrypted powershell cmdline option found 12->109 111 Bypasses PowerShell execution policy 12->111 17 cmd.exe 4 12->17         started        21 conhost.exe 12->21         started        23 cmd.exe 1 15->23         started        25 conhost.exe 15->25         started        process6 file7 69 C:\Users\user\...\32Kas01esS88zgwb.bat, DOS 17->69 dropped 83 Suspicious powershell command line found 17->83 85 Uses cmd line tools excessively to alter registry or file data 17->85 87 Encrypted powershell cmdline option found 17->87 27 powershell.exe 23 17->27         started        31 powershell.exe 11 17->31         started        33 powershell.exe 16 17->33         started        43 3 other processes 17->43 35 powershell.exe 15 23->35         started        37 conhost.exe 23->37         started        39 reg.exe 1 23->39         started        41 powershell.exe 23->41         started        signatures8 process9 file10 73 C:\Users\user\AppData\...\tzgipdzo.cmdline, Unicode 27->73 dropped 75 C:\Users\user\AppData\Local\...\tzgipdzo.0.cs, Unicode 27->75 dropped 113 Injects code into the Windows Explorer (explorer.exe) 27->113 115 Writes to foreign memory regions 27->115 117 Creates a thread in another existing process (thread injection) 27->117 45 explorer.exe 93 4 27->45 injected 49 csc.exe 3 27->49         started        119 Found suspicious powershell code related to unpacking or dynamic code loading 31->119 121 Compiles code for process injection (via .Net compiler) 31->121 77 C:\Users\user\AppData\...\ps_LNUdiqZA.ps1, Unicode 33->77 dropped signatures11 process12 dnsIp13 81 dal-business-20.duckdns.org 91.92.243.151, 49696, 7000 THEZONEBG Bulgaria 45->81 123 System process connects to network (likely due to code injection or exploit) 45->123 125 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->125 127 Unusual module load detection (module proxying) 45->127 52 cmd.exe 45->52         started        71 C:\Users\user\AppData\Local\...\tzgipdzo.dll, PE32 49->71 dropped 54 cvtres.exe 1 49->54         started        file14 signatures15 process16 process17 56 cmd.exe 52->56         started        59 conhost.exe 52->59         started        signatures18 99 Suspicious powershell command line found 56->99 101 Uses cmd line tools excessively to alter registry or file data 56->101 103 Encrypted powershell cmdline option found 56->103 61 conhost.exe 56->61         started        63 reg.exe 56->63         started        65 powershell.exe 56->65         started        67 powershell.exe 56->67         started        process19
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/78e42dc2fe1d89f120a7c41dc184bf8e5fe6fba98b21eeb08fe4e1be8143b3e2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78e42dc2fe1d89f120a7c41dc184bf8e5fe6fba98b21eeb08fe4e1be8143b3e2/
Verdict:
Malicious
Threat:
Backdoor.MSIL.XWorm
Link:
https://tip.neiki.dev/file/78e42dc2fe1d89f120a7c41dc184bf8e5fe6fba98b21eeb08fe4e1be8143b3e2
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-01-12 04:05:43 UTC
File Type:
Text (Batch)
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pdsc3qx6dwe7cifhyqo4dbf7rzp6n65jrmq65mep4tq35akdwpra._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
donutloader
Create hunting rule
Similar samples:
0ce283c575ae8e287d143a2a7760f232137f66014f94ffb5a5d2a92e341acbb4
XWorm
2ebbc0ecfdc8da987269085bdff3bfef88b555a5557beec2880d81eb58862fd8
XWorm
4bce5c43d01102b83bf0cb0b85d09ea8a758262b98b04aeccff957aad024f7bd
XWorm
7e1c737b0425f74274a9a7b03335c72f8b0e82f7713e1713f98db9a0ad2c34cf
XWorm
878c2fd49c39b041dcd87701bfa3d32362103e2411a5310e74d1fc878f310c67
XWorm
e36eee6a572b2c5e45cfaffae49ee361f55915375a4b7c938983fe8f8b5aa539
XWorm
error
XWorm
f499e385f4a4249fadbe00260417c51b26b4cbb32abdf933b6e772d6f22a6cbb
XWorm
fac0ea914e72f08856d3c2c68a4d3f447269d002d8488f8a60aef9d7e989f0c4
XWorm
+ 2'283 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:xworm defense_evasion execution loader persistence rat trojan
Link:
https://tria.ge/reports/260112-j9pzfsay9c/
Behaviour
Modifies registry class
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Detects DonutLoader
DonutLoader
Donutloader family
Xworm
Xworm family
Malware Config
C2 Extraction:
dal-business-20.duckdns.org:7000
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78e42dc2fe1d89f120a7c41dc184bf8e5fe6fba98b21eeb08fe4e1be8143b3e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:SUSP_Base64
Create hunting rule
Author:Eslam Hassan
Description:Detects hex encoded code that has been base64 encoded
Reference:Internal Research
Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/48583/

Comments