MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8dae5bd66848657512de7b2d4cc9dc1f9aa24c7b57225566cc445e987c3338e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8dae5bd66848657512de7b2d4cc9dc1f9aa24c7b57225566cc445e987c3338e5
SHA3-384 hash: 98ba565bf1340d58240e2b612ca00d6c78b23aa6f97ec82ac77b8889ecc14a3e0da4b7a68c9440b6785c2eaf5bb62336
SHA1 hash: 62486d14e738790ebc9877a64a1d1123c762c593
MD5 hash: d6ee9d30acd1034104359b4ece529245
humanhash: north-tennis-floor-tennis
File name:awb_bl_shipping_customs_tax_clearance_instructions_03_02_2026_pdf.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:7'601 bytes
First seen:2026-02-03 15:42:47 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 192:QQMmyJLJO4+UNnQTuDRdJVY6P+kQwycKkEaDclaquc9mYESqO:QQMmyJtO+n11VYA+kQwrnzcZuMniO
TLSH T134F198BCC2BDBCC4431E374074D2DDCE12929A078EB62A54E75C1D686BB4259BBF9148
Magika batch
Reporter lowmal3
Tags:bat xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
awb_bl_shipping_customs_tax_clearance_instructions_03_02_2026_pdf.bat
Verdict:
Malicious activity
Analysis date:
2026-02-03 15:44:55 UTC
Tags:
keylogger agenttesla stego payload ta558 apt stegocampaign loader reverseloader auto-reg susp-powershell xworm remote
Link:
https://app.any.run/tasks/98b353a6-f301-43ca-a2b1-9f28d1e4d29c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51510/
Detection(s):
SecuriteInfo.com.Win32.SuspectCrc.24641.27824.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698217a7183032faf3eef7dc
Tags:
ransomware shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Creating a window
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 masquerade obfuscated obfuscated powershell
Link:
https://www.filescan.io/uploads/698217a6930564ff3c871d89/reports/dfcd158c-b24c-4de3-9085-f8892cfc2f66/overview
Verdict:
Malicious
Labled as:
BAT/Obfuscated.AZ trojan
Link:
https://www.hybrid-analysis.com/sample/8dae5bd66848657512de7b2d4cc9dc1f9aa24c7b57225566cc445e987c3338e5
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-02-03T05:40:00Z UTC
Last seen:
2026-02-03T10:30:00Z UTC
Hits:
~1000
Detections:
Trojan-Downloader.SLoad.TCP.ServerRequest PDM:Trojan.Win32.Generic Backdoor.Agent.TCP.C&C Trojan-Downloader.PowerShell.NanoShield.sb HEUR:Trojan.Multi.Stego.gen HEUR:Trojan.Script.Generic HEUR:Trojan.BAT.Alien.gen
Link:
https://opentip.kaspersky.com/8dae5bd66848657512de7b2d4cc9dc1f9aa24c7b57225566cc445e987c3338e5/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1862554
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1862554 Sample: awb_bl_shipping_customs_tax... Startdate: 03/02/2026 Architecture: WINDOWS Score: 100 57 excellentxtrablessings.duckdns.org 2->57 59 resitrans.com.br 2->59 61 2 other IPs or domains 2->61 77 Suricata IDS alerts for network traffic 2->77 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 85 16 other signatures 2->85 11 cmd.exe 1 2->11         started        14 svchost.exe 2 2->14         started        16 svchost.exe 1 2->16         started        signatures3 83 Uses dynamic DNS services 57->83 process4 signatures5 87 Suspicious powershell command line found 11->87 18 powershell.exe 12 11->18         started        21 conhost.exe 11->21         started        23 conhost.exe 14->23         started        25 conhost.exe 16->25         started        process6 signatures7 67 Suspicious powershell command line found 18->67 69 Suspicious execution chain found 18->69 71 Found suspicious powershell code related to unpacking or dynamic code loading 18->71 27 powershell.exe 14 24 18->27         started        process8 dnsIp9 63 resitrans.com.br 186.209.113.138, 443, 49699 DatoraTelecomunicacoesLtdaBR Brazil 27->63 65 au72nuxzv2.ufs.sh 172.67.184.177, 443, 49693 CLOUDFLARENETUS United States 27->65 53 C:\Users\user\AppData\...\y1c3ibgb.cmdline, Unicode 27->53 dropped 89 Writes to foreign memory regions 27->89 91 Modifies the context of a thread in another process (thread injection) 27->91 93 Injects a PE file into a foreign processes 27->93 32 RegAsm.exe 2 7 27->32         started        37 csc.exe 3 27->37         started        39 conhost.exe 27->39         started        file10 signatures11 process12 dnsIp13 55 excellentxtrablessings.duckdns.org 185.167.61.11, 3025, 49701, 49702 INETLTDTR Turkey 32->55 49 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 32->49 dropped 73 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->73 75 Drops PE files with benign system names 32->75 41 cmd.exe 1 32->41         started        51 C:\Users\user\AppData\Local\...\y1c3ibgb.dll, PE32 37->51 dropped 43 cvtres.exe 1 37->43         started        file14 signatures15 process16 process17 45 conhost.exe 41->45         started        47 timeout.exe 1 41->47         started       
Score:
80%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/8dae5bd66848657512de7b2d4cc9dc1f9aa24c7b57225566cc445e987c3338e5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8dae5bd66848657512de7b2d4cc9dc1f9aa24c7b57225566cc445e987c3338e5/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/8dae5bd66848657512de7b2d4cc9dc1f9aa24c7b57225566cc445e987c3338e5
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-02-03 14:09:13 UTC
File Type:
Text (Batch)
AV detection:
6 of 24 (25.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rwxfxvtijbsxkew6pmwuzso4d6nketd3k4rfkzwmirpjq7bthdsq._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat trojan
Link:
https://tria.ge/reports/260203-s57s5sgx5e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
excellentxtrablessings.duckdns.org:3025
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8dae5bd66848/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8dae5bd66848657512de7b2d4cc9dc1f9aa24c7b57225566cc445e987c3338e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Batch (bat) bat 8dae5bd66848657512de7b2d4cc9dc1f9aa24c7b57225566cc445e987c3338e5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/51510/

Comments