MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af2150ebafd8f655bc625da183bfa64597a6e16456f3be68b47830e418fdf2ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af2150ebafd8f655bc625da183bfa64597a6e16456f3be68b47830e418fdf2ac
SHA3-384 hash: 0601a593d5fb6462cea28e50387482d640846655da9e599e5286bcaeda015fd59c96c7de27e548fb247a7eaf0a1f6191
SHA1 hash: c4cd6d4dd4befd5cc471a810268bbbf683fd1077
MD5 hash: adba4c22d151e638b5937018ccb299c1
humanhash: triple-yellow-sink-oklahoma
File name:system.bat
Download: download sample
File size:295'266 bytes
First seen:2024-04-10 07:23:25 UTC
Last seen:2024-04-10 08:52:56 UTC
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 6144:b4fVBlgzEyYBLHg3ayA0vtgyl5r5kc0unaQBcXMGB:byVBlgNqg3ayAYtJDNdhcXM+
TLSH T1DF54CD57EF21499A08FB2D34C67E4D0D239E7A52986B2F7A2FD0F631211E2717E2461C
Reporter likeastar20
Tags:bat xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
system.bat
Verdict:
Malicious activity
Analysis date:
2024-04-10 07:21:50 UTC
Tags:
xworm remote
Link:
https://app.any.run/tasks/9967d81a-0f86-43bf-9f0e-d727d54910d7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/66163e92279698d249ed259d/reports/f1f796aa-5781-444d-af83-2989b346ddda/overview
Verdict:
Suspicious
Labled as:
TrojanDropper/BAT.Agent
Link:
https://www.hybrid-analysis.com/sample/af2150ebafd8f655bc625da183bfa64597a6e16456f3be68b47830e418fdf2ac
Result
Verdict:
MALICIOUS
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1423686
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Drops PE files to the user root directory
Loading BitLocker PowerShell Module
Powershell drops PE file
Powershell is started from unusual location (likely to bypass HIPS)
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1423686 Sample: system.bat Startdate: 10/04/2024 Architecture: WINDOWS Score: 100 83 case-shield.gl.at.ply.gg 2->83 91 Snort IDS alert for network traffic 2->91 93 Antivirus detection for URL or domain 2->93 95 Antivirus detection for dropped file 2->95 97 13 other signatures 2->97 12 cmd.exe 1 2->12         started        15 system.exe 2->15         started        17 system.exe 2->17         started        19 wscript.exe 1 2->19         started        signatures3 process4 signatures5 113 Suspicious powershell command line found 12->113 115 Wscript starts Powershell (via cmd or directly) 12->115 117 Bypasses PowerShell execution policy 12->117 21 powershell.exe 3 19 12->21         started        25 net.exe 1 12->25         started        27 conhost.exe 12->27         started        119 Powershell is started from unusual location (likely to bypass HIPS) 15->119 121 Reads the Security eventlog 15->121 123 Reads the System eventlog 15->123 29 conhost.exe 15->29         started        31 conhost.exe 17->31         started        125 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->125 127 Suspicious execution chain found 19->127 process6 file7 75 C:\Users\user\AppData\...\startup_str_540.vbs, ASCII 21->75 dropped 77 C:\Users\user\AppData\...\startup_str_540.bat, DOS 21->77 dropped 99 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->99 101 Suspicious powershell command line found 21->101 103 Drops PE files to the user root directory 21->103 105 3 other signatures 21->105 33 wscript.exe 1 21->33         started        36 powershell.exe 37 21->36         started        38 net1.exe 1 25->38         started        signatures8 process9 signatures10 87 Wscript starts Powershell (via cmd or directly) 33->87 40 cmd.exe 1 33->40         started        89 Loading BitLocker PowerShell Module 36->89 43 conhost.exe 36->43         started        process11 signatures12 109 Suspicious powershell command line found 40->109 111 Wscript starts Powershell (via cmd or directly) 40->111 45 powershell.exe 1 20 40->45         started        50 net.exe 1 40->50         started        52 conhost.exe 40->52         started        process13 dnsIp14 85 case-shield.gl.at.ply.gg 147.185.221.17, 26501, 49737 SALSGIVERUS United States 45->85 79 C:\Users\user\AppData\Roaming\...\system.lnk, MS 45->79 dropped 81 C:\Users\user\system.exe, PE32+ 45->81 dropped 129 Protects its processes via BreakOnTermination flag 45->129 131 Adds a directory exclusion to Windows Defender 45->131 54 powershell.exe 45->54         started        57 powershell.exe 45->57         started        59 powershell.exe 45->59         started        63 2 other processes 45->63 61 net1.exe 1 50->61         started        file15 signatures16 process17 signatures18 107 Loading BitLocker PowerShell Module 54->107 65 conhost.exe 54->65         started        67 conhost.exe 57->67         started        69 conhost.exe 59->69         started        71 conhost.exe 63->71         started        73 conhost.exe 63->73         started        process19
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/af2150ebafd8f655bc625da183bfa64597a6e16456f3be68b47830e418fdf2ac
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af2150ebafd8f655bc625da183bfa64597a6e16456f3be68b47830e418fdf2ac/
Threat name:
Script.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2024-04-10 05:54:36 UTC
File Type:
Text
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v4qvb25p3d3flpdclwqyhp5giwl2nylek3z342fupayoigh56kwa._file
Verdict:
unknown
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm persistence rat trojan
Link:
https://tria.ge/reports/240410-h8c3tsah2s/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Deletes itself
Drops startup file
Executes dropped EXE
Blocklisted process makes network request
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
case-shield.gl.at.ply.gg:26501
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af2150ebafd8f655bc625da183bfa64597a6e16456f3be68b47830e418fdf2ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments