MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae4c0ef46c195eca51369358673a9d8efed3fb69f92bce3d0763eec59e0d9bae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae4c0ef46c195eca51369358673a9d8efed3fb69f92bce3d0763eec59e0d9bae
SHA3-384 hash: 65082d67a90d5c93beca8d4e7b14a3fddb745f5ec8a31c432226aba36563a32c0cb2cd26f36f1de7edeeb64c00133201
SHA1 hash: be861330dc0e91271032e3e12c01d90d1fccc755
MD5 hash: 40429c8473863bb0aaa001a4e57907b3
humanhash: wolfram-twelve-north-utah
File name:Invoice.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:265'252 bytes
First seen:2025-10-09 06:30:18 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 6144:6NpJRsBgwy9rQNKa1GHp+UU//ro4NkPCb1C:6RSgTFv
Threatray 2'005 similar samples on MalwareBazaar
TLSH T19944822BA0926BA1CEACA6DD8C162A853D181F4DAFD4B40D7483DE1F54C57CD0A1B73B
Magika batch
Reporter smica83
Tags:bat xworm

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
83.147.243.110:1005 https://threatfox.abuse.ch/ioc/1609509/

Intelligence

File Origin
# of uploads :
1
# of downloads :
62
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_ae4c0ef46c195eca51369358673a9d8efed3fb69f92bce3d0763eec59e0d9bae.txt
Verdict:
No threats detected
Analysis date:
2025-10-09 06:46:10 UTC
Tags:
susp-powershell
Link:
https://app.any.run/tasks/bd965d88-d836-4c67-832b-50f33fc32aa5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/31229/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e756997f305fa2545dda3f
Tags:
obfuscate autorun xtreme shell
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
base64 evasive masquerade obfuscated powershell
Link:
https://www.filescan.io/uploads/68e756967c75fa33a278920c/reports/9de21959-220d-46fa-9337-024c675ee5da/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ae4c0ef46c195eca51369358673a9d8efed3fb69f92bce3d0763eec59e0d9bae
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-10-09T04:02:00Z UTC
Last seen:
2025-10-09T04:40:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.PowerShell.Tesre.sb Backdoor.MSIL.XWorm.b Trojan.PowerShell.AmsiBypass.sb PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Tesre.gen Backdoor.Agent.TCP.C&C Trojan.BAT.Agent.sb
Link:
https://opentip.kaspersky.com/ae4c0ef46c195eca51369358673a9d8efed3fb69f92bce3d0763eec59e0d9bae/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1791915
Signature
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1791915 Sample: Invoice.bat Startdate: 09/10/2025 Architecture: WINDOWS Score: 100 95 Suricata IDS alerts for network traffic 2->95 97 Found malware configuration 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 15 other signatures 2->101 8 cmd.exe 1 2->8         started        11 cmd.exe 1 2->11         started        13 cmd.exe 1 2->13         started        15 16 other processes 2->15 process3 signatures4 105 Suspicious powershell command line found 8->105 17 cmd.exe 1 8->17         started        19 conhost.exe 8->19         started        21 cmd.exe 1 11->21         started        23 conhost.exe 11->23         started        25 cmd.exe 1 13->25         started        27 conhost.exe 13->27         started        29 cmd.exe 1 15->29         started        31 cmd.exe 1 15->31         started        33 30 other processes 15->33 process5 process6 35 cmd.exe 3 17->35         started        38 cmd.exe 2 21->38         started        40 cmd.exe 2 25->40         started        42 cmd.exe 2 29->42         started        44 cmd.exe 2 31->44         started        46 cmd.exe 33->46         started        48 cmd.exe 33->48         started        50 cmd.exe 33->50         started        52 11 other processes 33->52 signatures7 103 Suspicious powershell command line found 35->103 54 2 other processes 35->54 59 2 other processes 38->59 61 2 other processes 40->61 63 2 other processes 42->63 65 2 other processes 44->65 67 2 other processes 46->67 69 2 other processes 48->69 71 2 other processes 50->71 73 22 other processes 52->73 process8 dnsIp9 93 83.147.243.110, 1005, 49715 BAHARNETIR Iran (ISLAMIC Republic Of) 54->93 75 C:\Users\user\AppData\Roaming\...\3825.bat, ASCII 54->75 dropped 107 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 54->107 109 Drops script or batch files to the startup folder 54->109 111 Found suspicious powershell code related to unpacking or dynamic code loading 54->111 113 Loading BitLocker PowerShell Module 54->113 77 C:\Users\user\AppData\Roaming\...\daba.bat, ASCII 59->77 dropped 79 C:\Users\user\AppData\Roaming\...\c88a.bat, ASCII 61->79 dropped 81 C:\Users\user\AppData\Roaming\...\b8bf.bat, ASCII 63->81 dropped 83 C:\Users\user\AppData\Roaming\...\42f1.bat, ASCII 65->83 dropped 85 C:\Users\user\AppData\Roaming\...\2a40.bat, ASCII 67->85 dropped 87 C:\Users\user\AppData\Roaming\...\5217.bat, ASCII 69->87 dropped 89 C:\Users\user\AppData\Roaming\...\5379.bat, ASCII 71->89 dropped 91 11 other malicious files 73->91 dropped file10 signatures11
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ae4c0ef46c195eca51369358673a9d8efed3fb69f92bce3d0763eec59e0d9bae
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae4c0ef46c195eca51369358673a9d8efed3fb69f92bce3d0763eec59e0d9bae/
Verdict:
Malicious
Threat:
Backdoor.MSIL.XWorm
Link:
https://tip.neiki.dev/file/ae4c0ef46c195eca51369358673a9d8efed3fb69f92bce3d0763eec59e0d9bae
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-09 01:13:27 UTC
File Type:
Text
AV detection:
4 of 24 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vzga55dmdfpmuujwsnmgoou5r37nh63j7ev44pihmpxmlhqntoxa._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
15da3c7d89995b5948be27e62cc19ec8aafb0023a190092a441b48fbbdc0b21f
XWorm
3433ac1f8c27e6e4bf4f2482dbc6e9af1ee91e8221c9243a9504696f2c4617f7
XWorm
60a6d2666a2fcff382041c20273f99cc13f1998d11522fb772eac2aeed83f37c
XWorm
677536b7f1eb664ef689a5b418a6a38f75bac30e1f4a4b8d7e9e44a3888f0027
XWorm
b57aff2eb48e3121344494e3e4d60ce0d357c48a2a35806e9024fcac9202ebcd
XWorm
c8e703c569cfbf7d1ed8c4fa0738727142802825db3702a9ee3ded8f722723ec
XWorm
dd571605c43f67c667cf409ddffd8fadbe022d45239f7aa61e584f0c2cd274f4
XWorm
dd5f4cf43236b8b7c89369b8a42cf5917f41c88a5d3d785d596058f2b203ac72
XWorm
ec145d51cb891b1e9a1e31088c0803371b5804baee1e766016b0a6f6e471f385
XWorm
error
XWorm
+ 1'995 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/251009-g9txasbk8y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Drops startup file
Badlisted process makes network request
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
prakashjadha.ddnsgeek.com:1005
83.147.243.110:1005
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae4c0ef46c195eca51369358673a9d8efed3fb69f92bce3d0763eec59e0d9bae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/31229/

Comments