MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 839ac710d88eef9e5eaaa68183cd2f5fec297b7094263582d3e5441cf396db50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 839ac710d88eef9e5eaaa68183cd2f5fec297b7094263582d3e5441cf396db50
SHA3-384 hash: 034e3859dd5bdac9fc4634aee14d90f54a2b22fb8407d28268fca8f4064263c23fede56f19616ad0b89622bfbc603854
SHA1 hash: 38ba95a7f3c7fc4ccc7adb17249fbc83dbed1bee
MD5 hash: 07b943df5ce99f9617da7f5c6ae6a6f1
humanhash: utah-victor-snake-magnesium
File name:Maersk_Forwarder_Cargo_Receipt_Draft_Shipping_Documents_Review_06_23_2025_0000000_doc.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:74'184 bytes
First seen:2025-06-24 05:47:28 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 1536:BYnSosfulygLP+niborN0P93HQY6vM650e+0YT2oyFcBx55gMnq018kM1Zy:sXsfulN8ul3HI0Ay
Threatray 1'803 similar samples on MalwareBazaar
TLSH T10E738E45CE2BAC5CABE02BB924CF6CD6D56F23DE2A7018DE541FDB088A78454B1D06DC
Magika txt
Reporter abuse_ch
Tags:bat Maersk xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Maersk_Forwarder_Cargo_Receipt_Draft_Shipping_Documents_Review_06_23_2025_0000000_doc.bat
Verdict:
Malicious activity
Analysis date:
2025-06-24 06:37:58 UTC
Tags:
susp-powershell remote xworm
Link:
https://app.any.run/tasks/a76aff5e-ad20-4049-8bc1-4c2e9b9be0a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10816/
Detection(s):
SecuriteInfo.com.BAT.Obfus-4.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685a3c07b06783b9ebd6cb32
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/685a3c27cf2af15711163266/reports/437dac7f-29c5-4d78-a131-35c273229675/overview
Verdict:
Malicious
Labled as:
GenScript.VFO trojan
Link:
https://www.hybrid-analysis.com/sample/839ac710d88eef9e5eaaa68183cd2f5fec297b7094263582d3e5441cf396db50
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1721593
Signature
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Uses dynamic DNS services
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1721593 Sample: Maersk_Forwarder_Cargo_Rece... Startdate: 24/06/2025 Architecture: WINDOWS Score: 100 41 businesstradings.duckdns.org 2->41 45 Suricata IDS alerts for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Yara detected Powershell decode and execute 2->49 53 7 other signatures 2->53 10 cmd.exe 1 2->10         started        signatures3 51 Uses dynamic DNS services 41->51 process4 signatures5 61 Suspicious command line found 10->61 13 cmd.exe 1 10->13         started        16 conhost.exe 10->16         started        process6 signatures7 63 Suspicious command line found 13->63 18 powershell.exe 3 32 13->18         started        23 conhost.exe 13->23         started        25 timeout.exe 1 13->25         started        27 cmd.exe 1 13->27         started        process8 dnsIp9 43 businesstradings.duckdns.org 185.167.61.11, 3033, 49692 INETLTDTR Turkey 18->43 37 \Device\ConDrv, ASCII 18->37 dropped 39 C:\Users\user\AppData\...\tmpDA57.tmp.bat, DOS 18->39 dropped 55 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->55 57 Suspicious powershell command line found 18->57 59 Found suspicious powershell code related to unpacking or dynamic code loading 18->59 29 cmd.exe 1 18->29         started        31 powershell.exe 28 18->31         started        file10 signatures11 process12 process13 33 conhost.exe 29->33         started        35 timeout.exe 1 29->35         started       
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/839ac710d88eef9e5eaaa68183cd2f5fec297b7094263582d3e5441cf396db50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/839ac710d88eef9e5eaaa68183cd2f5fec297b7094263582d3e5441cf396db50/
Threat name:
Script-JS.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-06-23 04:30:39 UTC
File Type:
Text
AV detection:
5 of 38 (13.16%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qonmoegyr3xz4xvku2ayhtjpl7wcs63qsqtdlawt4vcbz44w3nia._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
0ab149edd126d249c172864346f45dbcfa0ddee02015b6e44a121e6adbd5bd31
XWorm
4c3c7c82fef77195b527cac193188f01065d38da118efdd8d51d8fb53f5af87e
XWorm
792754b8f83fc54cb4f36b0aef98b787d13c76b12a83e765f380d6d8f421abcb
XWorm
a88faac5c77bb82c70e4aea71d3dffc333540cc05bdb18c5d21b1f9c5b258bc0
XWorm
a90c46b549a798b086e2ef3ee17728c7456cdf3730b25f50500143e3a56de1f8
XWorm
cabe7c8088610b32f234f920fdfc9c0ba3c64301e1cb3bd443f400b9998ba50f
XWorm
e9711aa0601544265b4f9c24442069c4edcd331af55798ca2e4a4d25532ddfd8
XWorm
ec86bb0fad6916b5f2ec59b29bbda6212d6feefb2e56f84fa95bbb3b8e13de01
XWorm
error
XWorm
f0c6530004391cf1d41fb844ddfc26736baf935a52525f029d42c3dd0f6ec315
XWorm
+ 1'793 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution rat trojan
Link:
https://tria.ge/reports/250624-ghlrlsdk6z/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Network Configuration Discovery: Internet Connection Discovery
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/839ac710d88eef9e5eaaa68183cd2f5fec297b7094263582d3e5441cf396db50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/10816/

Comments