MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0947eae56860259ab301c62cfdcd0f8c77a59edadd82880b7fd743cf95a8e7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0947eae56860259ab301c62cfdcd0f8c77a59edadd82880b7fd743cf95a8e7a
SHA3-384 hash: 842cafe4a5c1d238d1192ea6edb22b54c92ed2ab9a1768aafb23b3a3580e4a762dadb5d3d6d362b905ca561a8dabc5e4
SHA1 hash: b1a1a272345e43664c7eab806151b03ffd6d5133
MD5 hash: ceed76a8f59e9f08f748dd6d9cd9c689
humanhash: carbon-thirteen-steak-golf
File name:awb_dhl_Express_documents_delivery_20_03_2025_0000000-pdf.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:284'719 bytes
First seen:2025-03-21 13:54:06 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 6144:SEgHaH9lA4ol1mPrIEZ8rqLU6CTkQIjHfG+VKs:ng67MYP3U6CTkpHfFKs
Threatray 2'058 similar samples on MalwareBazaar
TLSH T146549E7EC2F59FD20B2E70B4386A335976C82FD331394A2CE4E25621947E696DEB5034
Magika vba
Reporter abuse_ch
Tags:bat DHL xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a61efb1be04224731df52aa425f30639e37241cd6e7e8484f7ede53754c7316b
Verdict:
Malicious activity
Analysis date:
2025-03-21 00:03:07 UTC
Tags:
arch-exec remote xworm susp-powershell
Link:
https://app.any.run/tasks/42b24704-37d4-4a3b-be0a-401db8a404c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67dcacba115e7b48b48f4188
Tags:
backdoor autorun shell sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated
Link:
https://www.filescan.io/uploads/67dd6f941dd35ee4a0ea8c43/reports/bb5ba762-3a33-4ba1-a05e-1e4a6fc03254/overview
Verdict:
Suspicious
Labled as:
BAT/Agent.AZY
Link:
https://www.hybrid-analysis.com/sample/d0947eae56860259ab301c62cfdcd0f8c77a59edadd82880b7fd743cf95a8e7a
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Result
Threat name:
Batch Injector
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1645199
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
Yara detected Batch Injector
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1645199 Sample: awb_dhl_Express_documents_d... Startdate: 21/03/2025 Architecture: WINDOWS Score: 100 151 freeetradingzone.duckdns.org 2->151 157 Suricata IDS alerts for network traffic 2->157 159 Malicious sample detected (through community Yara rule) 2->159 161 Multi AV Scanner detection for submitted file 2->161 165 13 other signatures 2->165 13 cmd.exe 1 2->13         started        16 cmd.exe 1 2->16         started        18 cmd.exe 2->18         started        20 14 other processes 2->20 signatures3 163 Uses dynamic DNS services 151->163 process4 dnsIp5 181 Suspicious powershell command line found 13->181 183 Bypasses PowerShell execution policy 13->183 23 cmd.exe 3 13->23         started        26 conhost.exe 13->26         started        28 cmd.exe 2 16->28         started        30 conhost.exe 16->30         started        32 cmd.exe 18->32         started        34 conhost.exe 18->34         started        153 127.0.0.1 unknown unknown 20->153 36 cmd.exe 20->36         started        38 cmd.exe 20->38         started        40 24 other processes 20->40 signatures6 process7 signatures8 171 Suspicious powershell command line found 23->171 42 powershell.exe 19 23->42         started        47 conhost.exe 23->47         started        49 powershell.exe 28->49         started        51 conhost.exe 28->51         started        53 powershell.exe 32->53         started        55 conhost.exe 32->55         started        57 2 other processes 36->57 59 2 other processes 38->59 61 22 other processes 40->61 process9 dnsIp10 155 freeetradingzone.duckdns.org 206.123.152.100, 3911, 49688 HVC-ASUS United States 42->155 149 C:\Users\user\...\StartupScript_e9b48f33.cmd, ASCII 42->149 dropped 175 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->175 177 Adds a directory exclusion to Windows Defender 42->177 179 Found suspicious powershell code related to unpacking or dynamic code loading 42->179 63 powershell.exe 23 42->63         started        66 cmd.exe 1 49->66         started        68 cmd.exe 53->68         started        70 cmd.exe 57->70         started        72 cmd.exe 59->72         started        74 cmd.exe 61->74         started        76 cmd.exe 61->76         started        78 cmd.exe 61->78         started        80 8 other processes 61->80 file11 signatures12 process13 signatures14 185 Loading BitLocker PowerShell Module 63->185 82 conhost.exe 63->82         started        84 3 other processes 66->84 87 2 other processes 68->87 89 2 other processes 70->89 91 2 other processes 72->91 93 2 other processes 74->93 95 2 other processes 76->95 97 2 other processes 78->97 99 15 other processes 80->99 process15 signatures16 101 powershell.exe 84->101         started        104 2 other processes 84->104 106 2 other processes 87->106 108 2 other processes 89->108 110 2 other processes 91->110 112 2 other processes 93->112 114 2 other processes 95->114 167 Suspicious powershell command line found 97->167 116 2 other processes 97->116 118 7 other processes 99->118 process17 signatures18 169 Adds a directory exclusion to Windows Defender 101->169 120 powershell.exe 101->120         started        123 powershell.exe 106->123         started        125 powershell.exe 108->125         started        127 powershell.exe 110->127         started        129 powershell.exe 112->129         started        131 powershell.exe 114->131         started        133 powershell.exe 116->133         started        process19 signatures20 173 Loading BitLocker PowerShell Module 120->173 135 conhost.exe 120->135         started        137 conhost.exe 123->137         started        139 conhost.exe 125->139         started        141 conhost.exe 127->141         started        143 conhost.exe 129->143         started        145 conhost.exe 131->145         started        147 conhost.exe 133->147         started        process21
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d0947eae56860259ab301c62cfdcd0f8c77a59edadd82880b7fd743cf95a8e7a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0947eae56860259ab301c62cfdcd0f8c77a59edadd82880b7fd743cf95a8e7a/
Threat name:
Win32.Ransomware.Generic
Create hunting rule
Status:
Malicious
First seen:
2025-03-21 00:03:08 UTC
File Type:
Text (Batch)
AV detection:
7 of 36 (19.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ckh5lswqybftkzqdrrm7xgq7ddxuwpnvxmcrafx7v2dz6k2rz5a._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
4953d68d68bf137417321bbfc3b7207ee6b2eab0c9600be88bdd3501961ea137
XWorm
4b056176eff38ea62624a06c424eb2ff021a616c884295d4b79366c1dc2aa066
XWorm
6513f2777a217402f9fa6196dacc31c948dfdde0680ccba57879b1c8d2cd11f8
XWorm
7a377adab50bbdcd81aef43cd3f7e16e21bc6e910871d60fd0fbac83950bd4f7
XWorm
cf14a8622e9a0ab68011a62ee9e9ed33327ff924763fcd4a5f97c5fe8a6b8495
XWorm
error
XWorm
+ 2'048 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/250321-q7qljatpt2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
freeetradingzone.duckdns.org:3911
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d0947eae5686/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0947eae56860259ab301c62cfdcd0f8c77a59edadd82880b7fd743cf95a8e7a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments