MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc09f55637072c7db1f9a1efbaae4a6ccbe84000b1703121720b063806242633. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc09f55637072c7db1f9a1efbaae4a6ccbe84000b1703121720b063806242633
SHA3-384 hash: 31872340a07c50e095b951f2f3b5fddf6a6040eade977a8db6f224d7656b2653ef31e541856870ee0d76f77e8c5f4ba3
SHA1 hash: 391d8c7f3ac8ce2bdb20f8100ef74a1f4902ffbd
MD5 hash: aaa022cbdad602857e4c638992873f44
humanhash: april-don-potato-kentucky
File name:awb_dhl_bl_inv_dhl_original_shipping_doc_06_12_2025_pdf.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:77'211 bytes
First seen:2025-06-12 17:44:46 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 1536:oqXasywnD8IPXxIfh9Xe7ZMoC2moZqZhkfuLiKdjlJbfMZie/rO:oqXasywD1GO7aoCwZqPkmLiKZlFfMAea
Threatray 1'804 similar samples on MalwareBazaar
TLSH T19173C77EC6FFBCC05726B4D14AFE3B4900DD47D3F164ABACB1D85860182A458AB362D9
Magika vba
Reporter smica83
Tags:bat HUN xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
awb_dhl_bl_inv_dhl_original_shipping_doc_06_12_2025_pdf.bat
Verdict:
Malicious activity
Analysis date:
2025-06-12 17:47:13 UTC
Tags:
auto-startup susp-powershell remote xworm
Link:
https://app.any.run/tasks/04b14c27-bd4e-4057-8af8-d654e6af6a8c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/9195/
Detection(s):
SecuriteInfo.com.BAT.Obfus-4.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.BAT.Obfus-3.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684b12448bd5d68a12e8437e
Tags:
obfuscate autorun xtreme shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 evasive masquerade obfuscated powershell
Link:
https://www.filescan.io/uploads/684b1247fd02ed5e05a7037c/reports/e27533e7-9fff-491b-b668-79320040b4ff/overview
Verdict:
Malicious
Labled as:
BAT/Agent.AZY
Link:
https://www.hybrid-analysis.com/sample/cc09f55637072c7db1f9a1efbaae4a6ccbe84000b1703121720b063806242633
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1713541
Signature
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1713541 Sample: awb_dhl_bl_inv_dhl_original... Startdate: 12/06/2025 Architecture: WINDOWS Score: 100 75 businesstradings.duckdns.org 2->75 81 Suricata IDS alerts for network traffic 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 89 13 other signatures 2->89 8 cmd.exe 1 2->8         started        11 cmd.exe 1 2->11         started        13 cmd.exe 1 2->13         started        15 13 other processes 2->15 signatures3 87 Uses dynamic DNS services 75->87 process4 signatures5 97 Suspicious powershell command line found 8->97 99 Bypasses PowerShell execution policy 8->99 17 cmd.exe 3 8->17         started        20 conhost.exe 8->20         started        22 cmd.exe 2 11->22         started        24 conhost.exe 11->24         started        26 cmd.exe 2 13->26         started        28 conhost.exe 13->28         started        30 cmd.exe 2 15->30         started        32 cmd.exe 2 15->32         started        34 24 other processes 15->34 process6 signatures7 79 Suspicious powershell command line found 17->79 36 powershell.exe 18 17->36         started        41 conhost.exe 17->41         started        43 powershell.exe 17 22->43         started        45 conhost.exe 22->45         started        47 powershell.exe 26->47         started        49 conhost.exe 26->49         started        51 2 other processes 30->51 53 2 other processes 32->53 55 22 other processes 34->55 process8 dnsIp9 77 businesstradings.duckdns.org 185.167.61.11, 3033, 49693 INETLTDTR Turkey 36->77 57 C:\Users\user\AppData\Roaming\...\7eae.bat, ASCII 36->57 dropped 91 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->91 93 Drops script or batch files to the startup folder 36->93 95 Found suspicious powershell code related to unpacking or dynamic code loading 36->95 59 C:\Users\user\AppData\Roaming\...\3eab.bat, ASCII 43->59 dropped 61 C:\Users\user\AppData\Roaming\...\374b.bat, ASCII 47->61 dropped 63 C:\Users\user\AppData\Roaming\...\c274.bat, ASCII 51->63 dropped 65 C:\Users\user\AppData\Roaming\...\e83b.bat, ASCII 53->65 dropped 67 C:\Users\user\AppData\Roaming\...\faaf.bat, ASCII 55->67 dropped 69 C:\Users\user\AppData\Roaming\...\f54d.bat, ASCII 55->69 dropped 71 C:\Users\user\AppData\Roaming\...\eb39.bat, ASCII 55->71 dropped 73 8 other malicious files 55->73 dropped file10 signatures11
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/cc09f55637072c7db1f9a1efbaae4a6ccbe84000b1703121720b063806242633
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc09f55637072c7db1f9a1efbaae4a6ccbe84000b1703121720b063806242633/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/cc09f55637072c7db1f9a1efbaae4a6ccbe84000b1703121720b063806242633
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-06-12 09:08:43 UTC
File Type:
Text
AV detection:
7 of 38 (18.42%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zqe7kvrxa4wh3mpzuhx3vlskntf6qqaawfydcilsbmddqbreeyzq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
1ba574b61dca255ef93e884d9cbad520403166562a7ae8ce28417080d52fe0a7
XWorm
4c3c7c82fef77195b527cac193188f01065d38da118efdd8d51d8fb53f5af87e
XWorm
4fecb0662c4acd463645475e4efca2a14f4afa0960f34cdfd3e50346005efd83
XWorm
56f304f2e560f09da015a9f0744e3a0825f420e092ebf7d4605b81b56054bba5
XWorm
a90c46b549a798b086e2ef3ee17728c7456cdf3730b25f50500143e3a56de1f8
XWorm
cabe7c8088610b32f234f920fdfc9c0ba3c64301e1cb3bd443f400b9998ba50f
XWorm
e5269c1e1058ff5344999040ab4d02ad3cc2cb1020a2e1d9de9c62fed5e9123f
XWorm
e9711aa0601544265b4f9c24442069c4edcd331af55798ca2e4a4d25532ddfd8
XWorm
error
XWorm
fa998dd5153a01397534f381ab5655a7afeb94e4b236e0dc4ffbed6891011949
XWorm
+ 1'794 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution rat trojan
Link:
https://tria.ge/reports/250612-wby6pazzht/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Network Configuration Discovery: Internet Connection Discovery
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cc09f5563707/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc09f55637072c7db1f9a1efbaae4a6ccbe84000b1703121720b063806242633

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/9195/

Comments