MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b01f3e9d8a5f912424dce47d7490fdf68f81ffa319cb64266feed1c53fd5b702. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b01f3e9d8a5f912424dce47d7490fdf68f81ffa319cb64266feed1c53fd5b702
SHA3-384 hash: b45952a8ce9220d2d4776670dfbd6882ab605a1f48611a6bc0537b4069b8c0ce6c9a85374a55ff281630714302595a0c
SHA1 hash: e9e8ca875decef6a82aa060f48b8da5b40f820f8
MD5 hash: e46c6e137b503b941b8a6bb144b683a9
humanhash: juliet-missouri-seven-skylark
File name:1.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:1'200 bytes
First seen:2025-08-31 19:03:05 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 24:C2ldCsevoRm2RXnDA28JkIBMp00uEf+URBdRNg8JgGMp00/tFHfMp00/tFAAbKe:XldnCoRFRXaq/sEf+URBfNgwsPN0PF+e
Threatray 1'687 similar samples on MalwareBazaar
TLSH T12D219D3E9970A9B9077C6554C4123D5362C613474B246994F8AE65700F3430AE3AD48C
Magika batch
Reporter smica83
Tags:bat xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1.bat
Verdict:
No threats detected
Analysis date:
2025-08-31 19:04:23 UTC
Tags:
susp-powershell
Link:
https://app.any.run/tasks/feeeb051-5a25-4bc6-ad8f-f6f3fb1a9a1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/24392/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b49c863e988eb6ab834fb7
Tags:
asyncrat phishing autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the process to interact with network services
Launching a process
Creating a file
DNS request
Connection attempt
Сreating synchronization primitives
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
UAC.Marte.B.Generic
Link:
https://www.hybrid-analysis.com/sample/b01f3e9d8a5f912424dce47d7490fdf68f81ffa319cb64266feed1c53fd5b702
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-08-31T16:06:00Z UTC
Last seen:
2025-08-31T16:06:00Z UTC
Hits:
~10
Detections:
Trojan.BAT.Agent.sb HEUR:Backdoor.MSIL.XClient.b Backdoor.MSIL.XWorm.a Trojan.Win32.Agent.sb Backdoor.Agent.TCP.C&C Trojan.Win32.Powershell.d HEUR:Backdoor.MSIL.XWorm.gen Backdoor.MSIL.XWorm.b PDM:Trojan.Win32.Tasker.cust HEUR:Trojan.BAT.Agent.gen PDM:Trojan.Win32.Generic NetTool.PowerShellUA.HTTP.C&C NetTool.PowerShellGet.HTTP.C&C
Link:
https://opentip.kaspersky.com/b01f3e9d8a5f912424dce47d7490fdf68f81ffa319cb64266feed1c53fd5b702/results?tab=lookup
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1768523
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1768523 Sample: 1.bat Startdate: 31/08/2025 Architecture: WINDOWS Score: 100 58 fuckrat.ru 2->58 60 raw.githubusercontent.com 2->60 62 github.com 2->62 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Yara detected XWorm 2->74 76 8 other signatures 2->76 10 cmd.exe 1 2->10         started        13 msedge_temp12455456.exe 2->13         started        15 msedge_temp12455456.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 signatures5 84 Suspicious powershell command line found 10->84 86 Encrypted powershell cmdline option found 10->86 88 Bypasses PowerShell execution policy 10->88 19 powershell.exe 14 25 10->19         started        24 net.exe 1 10->24         started        26 conhost.exe 10->26         started        90 Antivirus detection for dropped file 13->90 92 Multi AV Scanner detection for dropped file 13->92 process6 dnsIp7 64 github.com 140.82.113.4, 443, 49691 GITHUBUS United States 19->64 66 raw.githubusercontent.com 185.199.109.133, 443, 49692 FASTLYUS Netherlands 19->66 54 C:\Users\user\AppData\Local\Temp\msedge.exe, PE32 19->54 dropped 80 Loading BitLocker PowerShell Module 19->80 82 Powershell drops PE file 19->82 28 msedge.exe 4 19->28         started        33 net1.exe 1 24->33         started        file8 signatures9 process10 dnsIp11 68 fuckrat.ru 147.45.216.236, 1131, 49695, 49696 FREE-NET-ASFREEnetEU Russian Federation 28->68 56 C:\Users\user\...\msedge_temp12455456.exe, PE32 28->56 dropped 94 Antivirus detection for dropped file 28->94 96 Multi AV Scanner detection for dropped file 28->96 98 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->98 100 3 other signatures 28->100 35 powershell.exe 23 28->35         started        38 powershell.exe 23 28->38         started        40 powershell.exe 28->40         started        42 2 other processes 28->42 file12 signatures13 process14 signatures15 78 Loading BitLocker PowerShell Module 35->78 44 conhost.exe 35->44         started        46 conhost.exe 38->46         started        48 conhost.exe 40->48         started        50 conhost.exe 42->50         started        52 conhost.exe 42->52         started        process16
Score:
88%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b01f3e9d8a5f912424dce47d7490fdf68f81ffa319cb64266feed1c53fd5b702
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b01f3e9d8a5f912424dce47d7490fdf68f81ffa319cb64266feed1c53fd5b702/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/b01f3e9d8a5f912424dce47d7490fdf68f81ffa319cb64266feed1c53fd5b702
Threat name:
Script-BAT.Trojan.Marte
Create hunting rule
Status:
Malicious
First seen:
2025-08-31 19:04:25 UTC
File Type:
Text (Batch)
AV detection:
7 of 23 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wapt5hmkl6isijg44r6xjeh562hyd75ddhfwijtp53i4kp6vw4ba._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
275ec9cfb15d02fb150eafe5e173682ef7497ace5914f25826b428426f9019d6
XWorm
496d7e66ce98f06cab49eba51616c85558556a34682d87c824fd52e6a764a2a4
XWorm
8cb185d30039d4a941a79f71cb9c85de8b4092a3ee742633d5177db35e7becbb
XWorm
9695cfa0eee577f79c697f76f36de873ee23690067d1c0e56474e6b3f8c5b5ed
XWorm
error
XWorm
ff53ea407afca08ff7555f895686fb71cc858cfd51725efc6a678c2b202f31f4
XWorm
+ 1'677 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution persistence rat trojan
Link:
https://tria.ge/reports/250831-xqj6razsfy/
Behaviour
Runs net.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
fuckrat.ru:1131
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b01f3e9d8a5f912424dce47d7490fdf68f81ffa319cb64266feed1c53fd5b702

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:PowerShell_Susp_Parameter_Combo_RID336F
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/24392/

Comments