MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cabe7c8088610b32f234f920fdfc9c0ba3c64301e1cb3bd443f400b9998ba50f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cabe7c8088610b32f234f920fdfc9c0ba3c64301e1cb3bd443f400b9998ba50f
SHA3-384 hash: 44bdcc6fc0040d5dbbc03f0c4dc8a5ae7e8c51e5fa32f208aed19ad0980a78f18596b06764c613e5dc53a4ef1d6bd4e2
SHA1 hash: 4027e2b31637320f9c7b0e55b349a022436604b9
MD5 hash: a35f3023a17618609a2a6f498e07e13a
humanhash: hamper-michigan-twelve-queen
File name:awb_original_shipping_doc_bl_inv_001700720242247820020031808174CN18003105292025.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:57'601 bytes
First seen:2025-05-30 07:30:16 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 1536:kUemA7xNrwqkOO/YdArmEwiq9mXD6j8vk6r8qV:xexMqk7tYmTFVVV
Threatray 708 similar samples on MalwareBazaar
TLSH T10243603CC9A5FCC043AF70F3566DFB7A31AC0B13A675175CB6C509A6181968EEB36148
Magika txt
Reporter lowmal3
Tags:bat xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
awb_original_shipping_doc_bl_inv_001700720242247820020031808174CN18003105292025.bat
Verdict:
No threats detected
Analysis date:
2025-05-30 07:34:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9a0355bc-4c3d-44dc-9b24-98cfee312400

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6286/
Detection(s):
SecuriteInfo.com.BAT.Obfus-4.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68395f80668438e362e86558
Tags:
obfuscate xtreme shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd evasive lolbin masquerade obfuscated powershell timeout
Link:
https://www.filescan.io/uploads/68395ee6fd02ed5e058feb38/reports/df01ab01-b910-455d-aaa3-1913fbabbeb1/overview
Verdict:
Malicious
Labled as:
BAT/Agent.AZY
Link:
https://www.hybrid-analysis.com/sample/cabe7c8088610b32f234f920fdfc9c0ba3c64301e1cb3bd443f400b9998ba50f
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1702083
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Uses dynamic DNS services
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1702083 Sample: awb_original_shipping_doc_b... Startdate: 30/05/2025 Architecture: WINDOWS Score: 100 57 businesstradings.duckdns.org 2->57 67 Suricata IDS alerts for network traffic 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 75 11 other signatures 2->75 10 cmd.exe 1 2->10         started        13 cmd.exe 1 2->13         started        15 svchost.exe 1 1 2->15         started        signatures3 73 Uses dynamic DNS services 57->73 process4 dnsIp5 77 Suspicious powershell command line found 10->77 79 Bypasses PowerShell execution policy 10->79 81 Suspicious command line found 10->81 18 cmd.exe 1 10->18         started        21 conhost.exe 10->21         started        23 cmd.exe 1 13->23         started        25 conhost.exe 13->25         started        61 127.0.0.1 unknown unknown 15->61 signatures6 process7 signatures8 63 Suspicious powershell command line found 18->63 65 Suspicious command line found 18->65 27 powershell.exe 19 18->27         started        32 conhost.exe 18->32         started        34 cmd.exe 1 18->34         started        36 powershell.exe 23->36         started        38 conhost.exe 23->38         started        40 cmd.exe 1 23->40         started        42 timeout.exe 1 23->42         started        process9 dnsIp10 59 businesstradings.duckdns.org 185.167.61.11, 3033, 49682 INETLTDTR Turkey 27->59 53 C:\Users\user\...\StartupScript_4f552d56.cmd, ASCII 27->53 dropped 85 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->85 87 Suspicious powershell command line found 27->87 89 Found suspicious powershell code related to unpacking or dynamic code loading 27->89 44 powershell.exe 36 27->44         started        47 powershell.exe 28 27->47         started        55 \Device\ConDrv, ASCII 36->55 dropped 49 powershell.exe 36->49         started        file11 signatures12 process13 signatures14 83 Loading BitLocker PowerShell Module 44->83 51 conhost.exe 44->51         started        process15
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/cabe7c8088610b32f234f920fdfc9c0ba3c64301e1cb3bd443f400b9998ba50f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cabe7c8088610b32f234f920fdfc9c0ba3c64301e1cb3bd443f400b9998ba50f/
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-05-29 13:33:07 UTC
File Type:
Text
AV detection:
7 of 24 (29.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zk7hzaeimeftf4ru7eqp37e4bor4mqyb4hftxvcd6qaltgmluuhq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
097dbcf18e9ebc074af64ac1a899693153ac937ba363a3f096e11a5a403105e3
XWorm
22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635
XWorm
575d4d61e043f68fbc070d178284a2cacfb2ecaa0e352df98382e0fde7495f5f
XWorm
6716e245598aa6ca23203f7fdeb0f94fb411570d98bcd11b946839b67bdb5f37
XWorm
8c062a386c48015cda3a3c81edb65e0f0260bbd76d09bbc1e2d5e52b181c00b0
XWorm
90c97445e04e3b466ef00025c6c8b7656205dd48a7456f05986dbbae983597c3
XWorm
cb80f3f8dbdf12c6929acd19d547b1c0278e7b71a4e2bcf232a7776cf1c287df
XWorm
error
XWorm
+ 698 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250530-jb3gwstvdv/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Network Configuration Discovery: Internet Connection Discovery
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cabe7c8088610b32f234f920fdfc9c0ba3c64301e1cb3bd443f400b9998ba50f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Batch (bat) bat cabe7c8088610b32f234f920fdfc9c0ba3c64301e1cb3bd443f400b9998ba50f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/6286/

Comments