MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a88faac5c77bb82c70e4aea71d3dffc333540cc05bdb18c5d21b1f9c5b258bc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a88faac5c77bb82c70e4aea71d3dffc333540cc05bdb18c5d21b1f9c5b258bc0
SHA3-384 hash: 76999d420f28a737bae9813346fca507eddc0e0b31dbc2bc6f5ff0fe9c2dbf0aed3229341a2e16dff0ca79b89fb60213
SHA1 hash: 8a37e52e4cf6a6d259a27b5ee6dd16c8f52ae9e7
MD5 hash: 5aa270e28bae3b59b572b2aa1cbf6ae8
humanhash: hydrogen-maine-winner-magazine
File name:al_ansari_payment_confirmation_receipts_05_29_2025.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:57'725 bytes
First seen:2025-05-30 12:25:34 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 1536:97SDiNAyhP2iwq2xEmScS6kA8xFV9XyjdArmEwiq9mXD6j8vk6r8talll1llxllt:gOayhP2iwqpSmP1YmTFVmalll1llxllt
Threatray 1'823 similar samples on MalwareBazaar
TLSH T1A943813DDDE7ECC0436FB0C0966E3B66138D5B53BAA10B6CFBD14A615814686EB3614C
Magika vba
Reporter lowmal3
Tags:bat xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
al_ansari_payment_confirmation_receipts_05_29_2025.bat
Verdict:
No threats detected
Analysis date:
2025-05-30 12:44:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f33c2ede-2dc3-4f8d-846a-2c311072f068

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6407/
Detection(s):
SecuriteInfo.com.BAT.Obfus-4.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6839a60b668438e362e877b4
Tags:
obfuscate xtreme shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd evasive lolbin masquerade obfuscated powershell timeout
Link:
https://www.filescan.io/uploads/6839a443fd02ed5e059049b2/reports/8c113da7-8bdd-4912-8630-e0092ec528a9/overview
Verdict:
Suspicious
Labled as:
BAT/Agent.AZY
Link:
https://www.hybrid-analysis.com/sample/a88faac5c77bb82c70e4aea71d3dffc333540cc05bdb18c5d21b1f9c5b258bc0
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1702356
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Uses dynamic DNS services
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1702356 Sample: al_ansari_payment_confirmat... Startdate: 30/05/2025 Architecture: WINDOWS Score: 100 58 businesstradings.duckdns.org 2->58 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 70 11 other signatures 2->70 10 cmd.exe 1 2->10         started        13 cmd.exe 1 2->13         started        signatures3 68 Uses dynamic DNS services 58->68 process4 signatures5 72 Suspicious powershell command line found 10->72 74 Bypasses PowerShell execution policy 10->74 76 Suspicious command line found 10->76 15 cmd.exe 1 10->15         started        18 conhost.exe 10->18         started        20 cmd.exe 1 13->20         started        22 conhost.exe 13->22         started        process6 signatures7 88 Suspicious powershell command line found 15->88 90 Suspicious command line found 15->90 24 powershell.exe 20 23 15->24         started        29 conhost.exe 15->29         started        31 timeout.exe 1 15->31         started        33 cmd.exe 1 15->33         started        35 powershell.exe 20->35         started        37 conhost.exe 20->37         started        39 cmd.exe 1 20->39         started        41 timeout.exe 1 20->41         started        process8 dnsIp9 60 businesstradings.duckdns.org 185.167.61.11, 3033, 49694 INETLTDTR Turkey 24->60 54 C:\Users\user\...\StartupScript_0835b4f8.cmd, ASCII 24->54 dropped 78 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->78 80 Suspicious powershell command line found 24->80 82 Query firmware table information (likely to detect VMs) 24->82 84 Found suspicious powershell code related to unpacking or dynamic code loading 24->84 43 powershell.exe 37 24->43         started        46 powershell.exe 28 24->46         started        48 wermgr.exe 14 24->48         started        56 \Device\ConDrv, ASCII 35->56 dropped 50 powershell.exe 35->50         started        file10 signatures11 process12 signatures13 86 Loading BitLocker PowerShell Module 43->86 52 conhost.exe 43->52         started        process14
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/a88faac5c77bb82c70e4aea71d3dffc333540cc05bdb18c5d21b1f9c5b258bc0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a88faac5c77bb82c70e4aea71d3dffc333540cc05bdb18c5d21b1f9c5b258bc0/
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-05-30 11:15:16 UTC
File Type:
Text (Batch)
AV detection:
7 of 38 (18.42%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vch2vrohpo4cy4hev2tr2pp7ymzvidgalpnrrrosdmpzywzfrpaa._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
168c048aa7ca05f48086bf8ed7fe8886a6e220e2b5d123b56db4932ab04aec5b
XWorm
2aa37e753ce1273f6ee4968bec7e2381b79a85ffbd1ee3da1fe9b4c1ea3ec4cd
XWorm
3e725d0efe588ac45c5bfa6aee1b6d5e75b65aa3a301e274c5e8e825ac390b7e
XWorm
4c3c7c82fef77195b527cac193188f01065d38da118efdd8d51d8fb53f5af87e
XWorm
551b0a6bc3aa19879c1936a0d91a73e44e57dffa057a3ac90bf8b009e840e516
XWorm
792754b8f83fc54cb4f36b0aef98b787d13c76b12a83e765f380d6d8f421abcb
XWorm
7a5e7ffe03839f2a8b690da5c55388122b1a8fcf5774f8a91db6eb9061b7bb4b
XWorm
9d08e5e62b409ef1ccd05c7996eb5432e4a36f55642cb7441d153909e823f144
XWorm
a90c46b549a798b086e2ef3ee17728c7456cdf3730b25f50500143e3a56de1f8
XWorm
cabe7c8088610b32f234f920fdfc9c0ba3c64301e1cb3bd443f400b9998ba50f
XWorm
error
XWorm
+ 1'813 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250530-pmm48s1py8/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a88faac5c77bb82c70e4aea71d3dffc333540cc05bdb18c5d21b1f9c5b258bc0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Batch (bat) bat a88faac5c77bb82c70e4aea71d3dffc333540cc05bdb18c5d21b1f9c5b258bc0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/6407/

Comments