MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8be80c2c475e56e5cf4352b55d95d859d4816548052309ad41cfd01e86615be7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8be80c2c475e56e5cf4352b55d95d859d4816548052309ad41cfd01e86615be7
SHA3-384 hash: 00ac324a74520aaa4fec88276d97e7b0dd1b6ea7444a585b7a1a70dae4d2a9fab105121930646b13989ce55668926385
SHA1 hash: f132e7a94fe1f8c2081b1cd1a70d7bf0320f87c0
MD5 hash: 04910209f28f9be58ca26c7f8f34d82f
humanhash: utah-carpet-wyoming-bulldog
File name:awb_documents_delivery_23_03_2025_0000000-pdf.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:185'500 bytes
First seen:2025-03-25 06:30:22 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 3072:u4fpOIQ10NYLzolDW9z9R98fouyulP8HfHKN6cFOPr6JfmD6kF4CA4oBMzNzjMIY:BhOIQyWL0DW9z9R98fouyulP8HfH5AuK
Threatray 2'089 similar samples on MalwareBazaar
TLSH T101044DFBCD703EE80FE610D018553B4E1128CBC7512D4EB9FAA27556D61B4AAAEF2C44
Magika latex
Reporter abuse_ch
Tags:bat xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
awb_documents_delivery_23_03_2025_0000000-pdf.bat
Verdict:
Malicious activity
Analysis date:
2025-03-25 06:36:46 UTC
Tags:
remote xworm susp-powershell
Link:
https://app.any.run/tasks/8aa7dfb0-cc90-45d1-9daf-4ba710cd8c72

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BAT.Agent-36.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e24efdbb84e066269ee4b9
Tags:
shell spawn sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated
Link:
https://www.filescan.io/uploads/67e24d84a08e28b31da7fa44/reports/e5344063-a6a6-490f-bbab-27d98bfddb69/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8be80c2c475e56e5cf4352b55d95d859d4816548052309ad41cfd01e86615be7
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Result
Threat name:
Batch Injector, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1647705
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
Yara detected Batch Injector
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/8be80c2c475e56e5cf4352b55d95d859d4816548052309ad41cfd01e86615be7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8be80c2c475e56e5cf4352b55d95d859d4816548052309ad41cfd01e86615be7/
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-03-24 08:03:50 UTC
File Type:
Text (PowerShell)
AV detection:
6 of 24 (25.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rpuaylchlzlolt2dkk2v3foylhkiczkiaurqtlkbz7ib5btblptq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
108cc8de775d1508ece81cb24d8aa5770b5760ddd3ecd27a341ab9f539d7950c
XWorm
39310dd2eaae889d46e05ad8d231a6da7977e7b47d864ed0b5db0b66b2f57010
XWorm
7b79046511bb3e926c5c91db54dae79c06bc19f7d7cdfcfe6df9627eb257cac7
XWorm
9b0a5807b705aecc86d4f02944944e51045852e915315136a7468cab0124f07b
XWorm
a0426333807dd8de6f38d77aca0fce5ff99e5231c6f5be5398410470dfd2b756
XWorm
d0947eae56860259ab301c62cfdcd0f8c77a59edadd82880b7fd743cf95a8e7a
XWorm
df56b2796d6a3dc1cb0dd449bde500ee024aba2cba51aec803f1d14672c2e6ce
XWorm
error
XWorm
+ 2'079 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/250325-g9818astgv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
freeetradingzone.duckdns.org:3911
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8be80c2c475e56e5cf4352b55d95d859d4816548052309ad41cfd01e86615be7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments