MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c256303330feb957a162d5093e7b3090d7a43f7d8818f4e33b953b319b8084e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c256303330feb957a162d5093e7b3090d7a43f7d8818f4e33b953b319b8084e
SHA3-384 hash: cd5536219126780ecc349b9ebf3dbd43a30ddd8e6519e7c2136bc559428aea3395bc1fe5a7465e62a5295f3437fd6e25
SHA1 hash: aca6099018834d01dc2d0f6003256ecdd3582d52
MD5 hash: a88ec7e95bc60df9126e9b22404517ac
humanhash: nine-three-hawaii-mississippi
File name:File.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:234'822 bytes
First seen:2025-03-22 13:10:50 UTC
Last seen:2025-03-22 16:14:06 UTC
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 6144:Xl06siU/yLMnA8taz8gy9Z3nF5pBTxLhvxTRP8:t
TLSH T12E34180199B5C8563AC2246C49FFAAF5E856B368BDF96B70740117DF0B6E7413EE3A00
Magika txt
Reporter aachum
Tags:bat xworm


Avatar
iamaachum
http://196.251.91.42/up/uploads/File.bat

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
File.bat
Verdict:
No threats detected
Analysis date:
2025-03-22 13:04:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/08311c9d-95ff-4817-a3b0-4276e115651b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67deb557c8a812f780e80ab4
Tags:
autorun dropper shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Creating a file
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Launching a file downloaded from the Internet
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive opendir opendir persistence powershell
Link:
https://www.filescan.io/uploads/67deb6ece05c48ec61e60dde/reports/adc54c68-ab90-4ff6-9495-0280cb1fe9e9/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9c256303330feb957a162d5093e7b3090d7a43f7d8818f4e33b953b319b8084e
Result
Verdict:
UNKNOWN
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1645769
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Drops script or batch files to the startup folder
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell download and load assembly
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Yara detected Powershell download and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/9c256303330feb957a162d5093e7b3090d7a43f7d8818f4e33b953b319b8084e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c256303330feb957a162d5093e7b3090d7a43f7d8818f4e33b953b319b8084e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-03-22 13:04:24 UTC
File Type:
Text (Batch)
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tqswgaztb7vzk6qwfvijhz5tbegxuq7x3cay6trtxfj3ggnybbha._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/250322-qezzhatscx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
Dropper Extraction:
http://196.251.91.42/up/uploads/encryption02.jpg
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c256303330feb957a162d5093e7b3090d7a43f7d8818f4e33b953b319b8084e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Batch (bat) bat 9c256303330feb957a162d5093e7b3090d7a43f7d8818f4e33b953b319b8084e

(this sample)

d14cdc62de70cf29ee645dc5b480ec7a5b880d3b0c05882dbd2522282b99ec8e

  
Link
https://tria.ge/250322-p3mhmssyfy/behavioral1
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3487078/
  
Dropping
SHA256 d14cdc62de70cf29ee645dc5b480ec7a5b880d3b0c05882dbd2522282b99ec8e
  
Dropping
MD5 3ca9c9dc98da7593e00e2bea1cdf9e04

Comments