MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf14a8622e9a0ab68011a62ee9e9ed33327ff924763fcd4a5f97c5fe8a6b8495. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf14a8622e9a0ab68011a62ee9e9ed33327ff924763fcd4a5f97c5fe8a6b8495
SHA3-384 hash: df5ee1629da8348b1b8fa3d316b0620e3076a8f3810e49b963acd137b7fe92e393abe8bf4f4b96ca1ba229f57a654213
SHA1 hash: 95e809ce9412e14a50f30ccca34610a95dde70d1
MD5 hash: 62a996c8cc1e1fd7d71e6e97097fcd90
humanhash: bluebird-sink-hot-alaska
File name:z93awb_DHL_Expr.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:284'695 bytes
First seen:2025-03-20 16:30:09 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 3072:GF6Z4lFdXoaiMUq38g8kky8+z3Qhndz163uLvw0iEnUtJbd70+NHfFvnbDWRhwdZ:lfysg8kkkadh6eKEnG77NHfZWqV
Threatray 2'057 similar samples on MalwareBazaar
TLSH T14654AF36F2F1CFC2C33A25E985BD7E0E118E0BEB607A8F4CF19998242AD901557F5895
Magika txt
Reporter FXOLabs
Tags:bat xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
z93awb_DHL_Expr.bat
Verdict:
Malicious activity
Analysis date:
2025-03-20 16:38:06 UTC
Tags:
susp-powershell remote xworm
Link:
https://app.any.run/tasks/6024ad69-9ad9-455d-bb05-ae52dd779eb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67dc446d115e7b48b48f323a
Tags:
backdoor autorun shell sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated
Link:
https://www.filescan.io/uploads/67dc429fb93e688233f0db5a/reports/048082da-dde7-4b7b-be84-562cc8d4ee89/overview
Verdict:
Suspicious
Labled as:
BAT/Agent.AZY
Link:
https://www.hybrid-analysis.com/sample/cf14a8622e9a0ab68011a62ee9e9ed33327ff924763fcd4a5f97c5fe8a6b8495
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Result
Threat name:
Batch Injector, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1644564
Signature
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
Yara detected Batch Injector
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1644564 Sample: z93awb_DHL_Expr.bat Startdate: 20/03/2025 Architecture: WINDOWS Score: 100 148 freeetradingzone.duckdns.org 2->148 154 Suricata IDS alerts for network traffic 2->154 156 Found malware configuration 2->156 158 Malicious sample detected (through community Yara rule) 2->158 162 19 other signatures 2->162 13 cmd.exe 1 2->13         started        16 cmd.exe 1 2->16         started        18 cmd.exe 1 2->18         started        20 9 other processes 2->20 signatures3 160 Uses dynamic DNS services 148->160 process4 signatures5 178 Suspicious powershell command line found 13->178 180 Bypasses PowerShell execution policy 13->180 22 cmd.exe 3 13->22         started        25 conhost.exe 13->25         started        27 cmd.exe 2 16->27         started        29 conhost.exe 16->29         started        31 cmd.exe 2 18->31         started        33 conhost.exe 18->33         started        35 cmd.exe 20->35         started        37 cmd.exe 20->37         started        39 16 other processes 20->39 process6 signatures7 166 Suspicious powershell command line found 22->166 41 powershell.exe 21 22->41         started        46 conhost.exe 22->46         started        48 powershell.exe 27->48         started        50 conhost.exe 27->50         started        52 powershell.exe 31->52         started        54 conhost.exe 31->54         started        56 2 other processes 35->56 58 2 other processes 37->58 60 13 other processes 39->60 process8 dnsIp9 150 freeetradingzone.duckdns.org 206.123.152.104, 3911, 49723 HVC-ASUS United States 41->150 144 C:\Users\user\...\StartupScript_e52d6c80.cmd, ASCII 41->144 dropped 146 C:\Users\user\AppData\...\tmpC3AF.tmp.bat, DOS 41->146 dropped 170 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->170 172 Adds a directory exclusion to Windows Defender 41->172 174 Found suspicious powershell code related to unpacking or dynamic code loading 41->174 76 2 other processes 41->76 62 cmd.exe 1 48->62         started        64 cmd.exe 52->64         started        66 cmd.exe 56->66         started        68 cmd.exe 58->68         started        70 cmd.exe 60->70         started        72 cmd.exe 60->72         started        74 cmd.exe 60->74         started        79 2 other processes 60->79 file10 signatures11 process12 signatures13 81 2 other processes 62->81 84 2 other processes 64->84 86 2 other processes 66->86 88 2 other processes 68->88 90 2 other processes 70->90 92 2 other processes 72->92 94 2 other processes 74->94 176 Loading BitLocker PowerShell Module 76->176 96 3 other processes 76->96 98 4 other processes 79->98 process14 signatures15 100 powershell.exe 81->100         started        103 conhost.exe 81->103         started        105 2 other processes 84->105 107 2 other processes 86->107 109 2 other processes 88->109 111 2 other processes 90->111 113 2 other processes 92->113 152 Suspicious powershell command line found 94->152 115 2 other processes 94->115 117 2 other processes 98->117 process16 signatures17 164 Adds a directory exclusion to Windows Defender 100->164 119 powershell.exe 100->119         started        122 powershell.exe 105->122         started        124 powershell.exe 107->124         started        126 powershell.exe 109->126         started        128 powershell.exe 111->128         started        130 powershell.exe 113->130         started        process18 signatures19 168 Loading BitLocker PowerShell Module 119->168 132 conhost.exe 119->132         started        134 conhost.exe 122->134         started        136 conhost.exe 124->136         started        138 conhost.exe 126->138         started        140 conhost.exe 128->140         started        142 conhost.exe 130->142         started        process20
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/cf14a8622e9a0ab68011a62ee9e9ed33327ff924763fcd4a5f97c5fe8a6b8495
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf14a8622e9a0ab68011a62ee9e9ed33327ff924763fcd4a5f97c5fe8a6b8495/
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-03-20 16:30:18 UTC
File Type:
Text (Batch)
AV detection:
6 of 24 (25.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4kkqyrotiflnaaruyxot2pngmzh76jeoy742ss7s7c75ctlqskq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
4953d68d68bf137417321bbfc3b7207ee6b2eab0c9600be88bdd3501961ea137
XWorm
4b056176eff38ea62624a06c424eb2ff021a616c884295d4b79366c1dc2aa066
XWorm
6513f2777a217402f9fa6196dacc31c948dfdde0680ccba57879b1c8d2cd11f8
XWorm
7a377adab50bbdcd81aef43cd3f7e16e21bc6e910871d60fd0fbac83950bd4f7
XWorm
error
XWorm
+ 2'047 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/250320-tzx77ayrv3/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
freeetradingzone.duckdns.org:3911
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf14a8622e9a0ab68011a62ee9e9ed33327ff924763fcd4a5f97c5fe8a6b8495

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Batch (bat) bat cf14a8622e9a0ab68011a62ee9e9ed33327ff924763fcd4a5f97c5fe8a6b8495

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments