MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb61e58f11e979f287a40449ddb0172abbe28c96b2c04a6b3560a3f6d536539d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb61e58f11e979f287a40449ddb0172abbe28c96b2c04a6b3560a3f6d536539d
SHA3-384 hash: 8f8db50136cdb80245d435f3e7424beeab32336e0d2cf1f0e0a72780b809af8673ab45dfb059d98279b3d8e77af6694b
SHA1 hash: 75e2ec13753b161dd8fb8d15940f70c121d8775f
MD5 hash: 08d7d5f2f0e18ec81157efd97055f44f
humanhash: seventeen-emma-bacon-crazy
File name:loader.bat
Download: download sample
Signature Formbook
Create hunting rule
File size:310'054 bytes
First seen:2025-04-26 23:15:59 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 6144:10bJlZOybRNDIaohTtS7roB0JPcIkm9dycb+ZHaPPv0eJp70G:kdnU/hB4roBG5km9nbs870G
Threatray 1'060 similar samples on MalwareBazaar
TLSH T16664CECFFE409AD17CECC3655F73899E36D342AA0A807C92114B6284CAF697C1AF5217
Magika powershell
Reporter BastianHein
Tags:Alien bat FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
CL CL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
loader.bat
Verdict:
No threats detected
Analysis date:
2025-04-26 23:17:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/95a36015-4bdf-472a-9f99-7385e80d5127

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4230/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680d6a78cc5fb3600cc2f793
Tags:
xtreme shell sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/680d693a218c4a98ade355c6/reports/bb0b9fe2-4975-4513-b551-c8588f6dd0ce/overview
Verdict:
Malicious
Labled as:
BAT/Kryptik.X trojan
Link:
https://www.hybrid-analysis.com/sample/bb61e58f11e979f287a40449ddb0172abbe28c96b2c04a6b3560a3f6d536539d
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1675232
Signature
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell decrypt and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1675232 Sample: loader.bat Startdate: 27/04/2025 Architecture: WINDOWS Score: 100 77 ip-api.com 2->77 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus detection for URL or domain 2->85 87 20 other signatures 2->87 12 cmd.exe 1 2->12         started        15 wscript.exe 1 2->15         started        17 svchost.exe 1 1 2->17         started        signatures3 process4 dnsIp5 105 Suspicious powershell command line found 12->105 107 Wscript starts Powershell (via cmd or directly) 12->107 109 Bypasses PowerShell execution policy 12->109 20 powershell.exe 3 19 12->20         started        24 net.exe 1 12->24         started        26 conhost.exe 12->26         started        111 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->111 113 Suspicious execution chain found 15->113 75 127.0.0.1 unknown unknown 17->75 signatures6 process7 file8 71 C:\Users\user\AppData\...\startup_str_390.vbs, ASCII 20->71 dropped 73 C:\Users\user\AppData\...\startup_str_390.bat, DOS 20->73 dropped 95 Suspicious powershell command line found 20->95 97 Adds a directory exclusion to Windows Defender 20->97 99 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 20->99 28 wscript.exe 1 20->28         started        31 powershell.exe 37 20->31         started        33 net1.exe 1 24->33         started        signatures9 process10 signatures11 115 Wscript starts Powershell (via cmd or directly) 28->115 35 cmd.exe 1 28->35         started        117 Loading BitLocker PowerShell Module 31->117 38 conhost.exe 31->38         started        40 MpCmdRun.exe 33->40         started        process12 signatures13 89 Suspicious powershell command line found 35->89 91 Wscript starts Powershell (via cmd or directly) 35->91 42 powershell.exe 35->42         started        46 net.exe 35->46         started        48 conhost.exe 35->48         started        50 conhost.exe 40->50         started        process14 dnsIp15 79 ip-api.com 208.95.112.1, 49722, 80 TUT-ASUS United States 42->79 101 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 42->101 103 Adds a directory exclusion to Windows Defender 42->103 52 powershell.exe 42->52         started        55 powershell.exe 42->55         started        57 powershell.exe 42->57         started        59 powershell.exe 42->59         started        61 net1.exe 46->61         started        signatures16 process17 signatures18 93 Loading BitLocker PowerShell Module 52->93 63 conhost.exe 52->63         started        65 conhost.exe 55->65         started        67 conhost.exe 57->67         started        69 conhost.exe 59->69         started        process19
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/bb61e58f11e979f287a40449ddb0172abbe28c96b2c04a6b3560a3f6d536539d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb61e58f11e979f287a40449ddb0172abbe28c96b2c04a6b3560a3f6d536539d/
Threat name:
Script-BAT.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2025-04-26 21:37:46 UTC
File Type:
Text
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xnq6ldyr5f47fb5eare53maxfk56fdewwlaeu2zvmcr7nvjwkooq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
1ca4a73b1076d2c6c0b97b3544919281b091e260f4970f62ae7f1cbcb9cc5e74
Formbook
2bd38b201c0c2fd95fcdc6824cdce1952ae7ed0b89f1ee52be2a27341903318c
Formbook
37f4decd5be11194eff9bab5896494dac9c83821070a7aa8d2660067ed48197e
Formbook
4dc4aa3db5cc5989c820289038614e287dd347fbd6b64c697c89e6d52042c465
Formbook
b99cd41e40fa63ebe8efc4f1263d9fe3c0151a05ac580ee5421ca365f163e5ea
Formbook
dcbdf146c3371066501d5005be84b3a30ed653c123fbc247fe5f91239b968cdb
Formbook
error
Formbook
+ 1'050 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/250426-286jxstlv9/
Behaviour
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
me071949-22956.portmap.io:22956
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb61e58f11e979f287a40449ddb0172abbe28c96b2c04a6b3560a3f6d536539d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/4230/

Comments