MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfe654871546beefc5b379d95a582716abbf505ecb1867f185b60dc257a0d4b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfe654871546beefc5b379d95a582716abbf505ecb1867f185b60dc257a0d4b4
SHA3-384 hash: f7ac20a556211dae87bdb4239a1ae1626005cba481cb9df879d1880d8fa532ac41ff6843264637f71c6d8c57fac9facc
SHA1 hash: f89cd33958017d705b417822168589c7c267d586
MD5 hash: 7d442c81d0179cc3888d26c1bf67ca57
humanhash: mexico-uncle-hotel-johnny
File name:RFQ ARL6100226FF.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:94'591 bytes
First seen:2026-02-23 08:53:16 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 1536:tPSqZJYVNX6Z70By6/f3Z3xJOi4osT85SGAP9qA5Y5qyFyrFwWPb00diXiWgV:dScJr0V3Z3x0i4o4mSB5OFaFVw0diXin
TLSH T1EA93E1125E692E108764062DD0FE28C566A95FDB5043798EEBB3BD0A6FFB20831D31DD
Magika batch
Reporter lowmal3
Tags:bat xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
BatchScript
Details
Link:
https://research.acce.ciphertechsolutions.com/results/ab6fc453-92bb-4cf8-8127-f9b83e05ba82/
Malware family:
n/a
ID:
1
File name:
aaa0321f-9987-4888-8233-f562d34cefe3.zip
Verdict:
Malicious activity
Analysis date:
2026-02-21 18:52:08 UTC
Tags:
arch-email arch-exec attachments attc-arch xworm remote
Link:
https://app.any.run/tasks/dff7e1bb-f3d6-4fde-b3e7-49e90373b6fc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54169/
Detection(s):
SecuriteInfo.com.Trojan.BAT.Agent.26545.2195.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699c157d8fffa866e3b0fc1f
Tags:
dropper emotet shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 cscript lolbin obfuscated powershell stealer xworm
Link:
https://www.filescan.io/uploads/699c15b797feb4afd65340c8/reports/4074053c-d698-42cd-8485-3c0b9125b803/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/bfe654871546beefc5b379d95a582716abbf505ecb1867f185b60dc257a0d4b4
Verdict:
Malicious
File Type:
unix shell
Detections:
Backdoor.Agent.TCP.C&C Trojan-Dropper.Win32.Injector.sb Backdoor.MSIL.XWorm.a Trojan-PSW.Win32.Stealer.sb PDM:Trojan.Win32.Generic Trojan.Win32.Shellcode.sb Trojan.Win32.Agent.sb HEUR:Trojan-PSW.BAT.Stealer.gen Backdoor.Win32.Androm.sb Backdoor.MSIL.XWorm.b Backdoor.MSIL.Agent.sb
Link:
https://opentip.kaspersky.com/bfe654871546beefc5b379d95a582716abbf505ecb1867f185b60dc257a0d4b4/results?tab=lookup
Result
Threat name:
DonutLoader, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1873483
Signature
Benign windows process drops PE files
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected DonutLoader
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1873483 Sample: RFQ ARL6100226FF.bat Startdate: 23/02/2026 Architecture: WINDOWS Score: 100 96 ax-0003.ax-dc-msedge.net 2->96 98 api.msn.com 2->98 100 2 other IPs or domains 2->100 114 Suricata IDS alerts for network traffic 2->114 116 Found malware configuration 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 15 other signatures 2->120 12 cmd.exe 2 2->12         started        15 cmd.exe 2 2->15         started        17 svchost.exe 2->17         started        signatures3 process4 dnsIp5 142 Suspicious powershell command line found 12->142 144 Command shell drops VBS files 12->144 146 Uses cmd line tools excessively to alter registry or file data 12->146 148 Bypasses PowerShell execution policy 12->148 20 cscript.exe 2 12->20         started        22 conhost.exe 12->22         started        24 cscript.exe 2 15->24         started        26 conhost.exe 15->26         started        94 127.0.0.1 unknown unknown 17->94 signatures6 process7 process8 28 cmd.exe 4 20->28         started        32 cmd.exe 1 24->32         started        file9 92 C:\Users\user\AppData\Roaming\WIPE\Male.cmd, DOS 28->92 dropped 150 Suspicious powershell command line found 28->150 152 Uses cmd line tools excessively to alter registry or file data 28->152 34 powershell.exe 30 28->34         started        38 conhost.exe 28->38         started        40 reg.exe 1 1 28->40         started        42 attrib.exe 1 28->42         started        44 powershell.exe 15 32->44         started        46 conhost.exe 32->46         started        48 reg.exe 1 32->48         started        signatures10 process11 file12 82 C:\Users\user\AppData\...\ff3yifxl.cmdline, Unicode 34->82 dropped 84 C:\Users\user\AppData\Local\...\ff3yifxl.0.cs, C++ 34->84 dropped 122 Injects code into the Windows Explorer (explorer.exe) 34->122 124 Writes to foreign memory regions 34->124 126 Found suspicious powershell code related to unpacking or dynamic code loading 34->126 128 2 other signatures 34->128 50 explorer.exe 30 5 34->50 injected 55 explorer.exe 34->55         started        57 csc.exe 3 34->57         started        59 csc.exe 3 34->59         started        61 cscript.exe 44->61         started        63 conhost.exe 44->63         started        signatures13 process14 dnsIp15 102 204.10.160.190, 49685, 49692, 49703 UNREAL-SERVERSUS Canada 50->102 104 204.79.197.203, 443 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 50->104 86 C:\Users\user\AppData\...\Protect2a3d628b.dll, PE32+ 50->86 dropped 130 Benign windows process drops PE files 50->130 132 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 50->132 134 Unusual module load detection (module proxying) 50->134 65 cmd.exe 50->65         started        68 WerFault.exe 50->68         started        106 ax-0003.ax-dc-msedge.net 150.171.30.12, 443, 49700 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 55->106 136 System process connects to network (likely due to code injection or exploit) 55->136 138 Query firmware table information (likely to detect VMs) 55->138 140 Tries to harvest and steal browser information (history, passwords, etc) 55->140 88 C:\Users\user\AppData\Local\...\ff3yifxl.dll, PE32 57->88 dropped 70 cvtres.exe 1 57->70         started        90 C:\Users\user\AppData\Local\...\ios2pqfe.dll, PE32 59->90 dropped 72 cvtres.exe 1 59->72         started        74 cmd.exe 61->74         started        file16 signatures17 process18 signatures19 108 Command shell drops VBS files 65->108 110 Suspicious powershell command line found 74->110 112 Uses cmd line tools excessively to alter registry or file data 74->112 76 conhost.exe 74->76         started        78 reg.exe 74->78         started        80 powershell.exe 74->80         started        process20
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/bfe654871546beefc5b379d95a582716abbf505ecb1867f185b60dc257a0d4b4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bfe654871546beefc5b379d95a582716abbf505ecb1867f185b60dc257a0d4b4/
Verdict:
Malicious
Threat:
Backdoor.MSIL.XWorm
Link:
https://tip.neiki.dev/file/bfe654871546beefc5b379d95a582716abbf505ecb1867f185b60dc257a0d4b4
Threat name:
Script-BAT.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2026-02-21 08:46:19 UTC
File Type:
Text (Batch)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x7tfjbyvi27o7rntphmvuwbhc2v36uc6zmmgp4mfwyg4ev5a2s2a._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
donutloader
Create hunting rule
neptunerat
Create hunting rule
Similar samples:
error
XWorm
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:xworm defense_evasion execution loader persistence rat trojan
Link:
https://tria.ge/reports/260223-ktflhsbw4f/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Detects DonutLoader
DonutLoader
Donutloader family
Xworm
Xworm family
Malware Config
C2 Extraction:
204.10.160.190:7003
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bfe654871546beefc5b379d95a582716abbf505ecb1867f185b60dc257a0d4b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:BAT_Begin_Substring_Env
Create hunting rule
Author:marcin@ulikowski.pl
Description:Detects suspicious substring syntax at the begining of batch script
Reference:https://cybersecurity.att.com/blogs/labs-research/seroxen-rat-for-sale
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:obfuscated_BAT
Create hunting rule
Author:@warz_s
Description:Identifies obfuscated BAT files
Reference:https://github.com/secwarz/YaraRules
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Batch (bat) bat bfe654871546beefc5b379d95a582716abbf505ecb1867f185b60dc257a0d4b4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/54169/

Comments