MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bca5317c27eb5f4a7816d00e8a0a20359ec8b72c46be5ad08d7f751583bed1d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bca5317c27eb5f4a7816d00e8a0a20359ec8b72c46be5ad08d7f751583bed1d9
SHA3-384 hash: 7af308151f7f98d423fa16345d4e06193e4a5d995bb781711ed7ace9f6b363454ccb6af7528434ff20908323bb449128
SHA1 hash: 2083d6a1cd4e5b20dbf05b0129567fa6d5d58be1
MD5 hash: 7db06312c9e756050bb2204742c61f1b
humanhash: mississippi-charlie-salami-oregon
File name:Invoice_For_Balance_Payament.cmd
Download: download sample
Signature XWorm
Create hunting rule
File size:564'224 bytes
First seen:2025-09-18 15:17:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:9nhEAEwP0mdy5yySNr+6PdKBEH2e8nH83o:9hEAErmd3yg59H21oo
TLSH T1E0C4F04433AAD901D5F24FF10970D7B407B8AE9DB921C20A4EF6ACEF7C39B10A955392
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe xworm

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.157.163.140:60875 https://threatfox.abuse.ch/ioc/1593805/

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice_For_Balance_Payament.cmd
Verdict:
Malicious activity
Analysis date:
2025-09-18 15:19:55 UTC
Tags:
auto-sch-xml pastebin remote xworm
Link:
https://app.any.run/tasks/ef1d5eb7-ab00-4b81-897c-83ccbc1ce79c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28180/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.19963719.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cc228c246a2631bd30ac13
Tags:
shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Loading a suspicious library
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
MSIL/GenKryptik_AGeneric.BLT trojan
Link:
https://www.hybrid-analysis.com/sample/bca5317c27eb5f4a7816d00e8a0a20359ec8b72c46be5ad08d7f751583bed1d9
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-18T03:02:00Z UTC
Last seen:
2025-09-18T03:02:00Z UTC
Hits:
~10000
Link:
https://opentip.kaspersky.com/bca5317c27eb5f4a7816d00e8a0a20359ec8b72c46be5ad08d7f751583bed1d9/results?tab=lookup
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/59d8f94d-f924-46b3-adec-c2f691cbb756
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1780144
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1780144 Sample: Invoice_For_Balance_Payamen... Startdate: 18/09/2025 Architecture: WINDOWS Score: 100 48 pastebin.com 2->48 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Sigma detected: Scheduled temp file as task from temp location 2->58 62 12 other signatures 2->62 8 Invoice_For_Balance_Payament.cmd.exe 7 2->8         started        12 wIrEWAAReI.exe 5 2->12         started        signatures3 60 Connects to a pastebin service (likely for C&C) 48->60 process4 file5 40 C:\Users\user\AppData\...\wIrEWAAReI.exe, PE32 8->40 dropped 42 C:\Users\...\wIrEWAAReI.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmp3B9F.tmp, XML 8->44 dropped 46 Invoice_For_Balance_Payament.cmd.exe.log, ASCII 8->46 dropped 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 8->66 68 Adds a directory exclusion to Windows Defender 8->68 14 powershell.exe 23 8->14         started        17 powershell.exe 23 8->17         started        19 Invoice_For_Balance_Payament.cmd.exe 15 2 8->19         started        22 schtasks.exe 1 8->22         started        70 Multi AV Scanner detection for dropped file 12->70 72 Injects a PE file into a foreign processes 12->72 24 schtasks.exe 12->24         started        26 wIrEWAAReI.exe 12->26         started        signatures6 process7 dnsIp8 74 Loading BitLocker PowerShell Module 14->74 28 conhost.exe 14->28         started        30 WmiPrvSE.exe 14->30         started        32 conhost.exe 17->32         started        50 185.157.163.140, 49718, 60875 OBE-EUROPEObenetworkEuropeSE Sweden 19->50 52 pastebin.com 172.66.171.73, 443, 49717 CLOUDFLARENETUS United States 19->52 34 WerFault.exe 19->34         started        36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bca5317c27eb5f4a7816d00e8a0a20359ec8b72c46be5ad08d7f751583bed1d9
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.44 Win 32 Exe x86
Link:
https://app.malva.re/file/7db06312c9e756050bb2204742c61f1b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bca5317c27eb5f4a7816d00e8a0a20359ec8b72c46be5ad08d7f751583bed1d9/
Threat name:
Win32.Trojan.VIPKeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-09-18 07:34:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xsstc7bh5npuu6aw2ahiucragwpmrnzmi27fvuenp52rla562hmq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
error
XWorm
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat trojan
Link:
https://tria.ge/reports/250918-spbqrsal6v/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1863d279-963e-4e97-81f8-245b3f9e6634
Unpacked files
SH256 hash:
bca5317c27eb5f4a7816d00e8a0a20359ec8b72c46be5ad08d7f751583bed1d9
MD5 hash:
7db06312c9e756050bb2204742c61f1b
SHA1 hash:
2083d6a1cd4e5b20dbf05b0129567fa6d5d58be1
Link:
https://www.unpac.me/results/b537e91c-f5b7-47e6-998a-9630729b1b70/
SH256 hash:
b5b322f50a3506a2a6d884464ec4ff1e92aa1b395060685c436f62b5c4b12dbd
MD5 hash:
781b69cd5d085a2cf7a530c614ff2c05
SHA1 hash:
04ea53cf597d142621931d87550321daf5e95f1d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b537e91c-f5b7-47e6-998a-9630729b1b70/
SH256 hash:
1041b538ccbc7d66e59247ef7551cde9b6c282843541585e9190a8e2e3943b12
MD5 hash:
e870d1e8f3791ccc141f85f40fd2972b
SHA1 hash:
150919ee289cffa6feb40ab8261f620dd7e26aac
Link:
https://www.unpac.me/results/b537e91c-f5b7-47e6-998a-9630729b1b70/
SH256 hash:
75052a0da2dc3d040d2c84379923de943956dd91b559778e19b441afc24c5d16
MD5 hash:
b9a66bab0dc0c24ea1d1d8abb8ab2037
SHA1 hash:
8c291bf93a2e824e43efed16a1e1e82514cf127d
Link:
https://www.unpac.me/results/b537e91c-f5b7-47e6-998a-9630729b1b70/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bca5317c27eb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bca5317c27eb5f4a7816d00e8a0a20359ec8b72c46be5ad08d7f751583bed1d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Executable exe bca5317c27eb5f4a7816d00e8a0a20359ec8b72c46be5ad08d7f751583bed1d9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28180/

Comments