MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da4bd34f7700dfc0065cc6fda8ccfd277ec30de7c85109444d626843058859c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da4bd34f7700dfc0065cc6fda8ccfd277ec30de7c85109444d626843058859c4
SHA3-384 hash: b904b8a12932782870a19533fe5d9a364ad1af5406662c73e4ef8bfbf2b1a098fd0b3c189accd5d357163550a022e3b3
SHA1 hash: 350b4eecdcbed3aaeb8014412ed8f109ad37b6e0
MD5 hash: ee4400fccff59b9350d9701acade8059
humanhash: ink-three-march-berlin
File name:RVNY0372_251222114248.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:205'019 bytes
First seen:2025-12-24 01:30:39 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 3072:sa4CzpfT+dIWnvCy4/NomszcAhK/xZopZ5j4wfyabk/7ZktLPlz694HvQsLMFYkh:R4CNYIWvlrExmpPj4b/7ZktoFtZR5us
TLSH T13414BF2D32E32E2DEDF28669B4E0E043BF9E55C71B20E9EF55DF01546B8D98949EC402
Magika batch
Reporter smica83
Tags:bat HUN xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
58
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
RVNY0372_251222114248.bat
Verdict:
No threats detected
Analysis date:
2025-12-24 01:32:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c4bcf71a-9659-428b-9520-fbe9355cdf22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45963/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694b426701c7b4a8fe5544f9
Tags:
dropper emotet shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm attrib base64 fingerprint lolbin obfuscated persistence powershell schtasks
Link:
https://www.filescan.io/uploads/694b4266e126b9ff438f2f3d/reports/ee1d54ce-d0f7-4075-9568-a5e33ab2dd84/overview
Verdict:
Suspicious
Labled as:
Trojan/BAT.Obfus
Link:
https://www.hybrid-analysis.com/sample/da4bd34f7700dfc0065cc6fda8ccfd277ec30de7c85109444d626843058859c4
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-12-22T04:48:00Z UTC
Last seen:
2025-12-24T11:07:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.BAT.Obfus.gen
Link:
https://opentip.kaspersky.com/da4bd34f7700dfc0065cc6fda8ccfd277ec30de7c85109444d626843058859c4/results?tab=lookup
Result
Threat name:
DonutLoader, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1838583
Signature
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Powershell is started from unusual location (likely to bypass HIPS)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Reads the Security eventlog
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected DonutLoader
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1838583 Sample: RVNY0372_251222114248.bat Startdate: 24/12/2025 Architecture: WINDOWS Score: 100 91 tse1.mm.bing.net 2->91 93 shed.dual-low.part-0041.t-0009.t-msedge.net 2->93 95 12 other IPs or domains 2->95 115 Suricata IDS alerts for network traffic 2->115 117 Found malware configuration 2->117 119 Malicious sample detected (through community Yara rule) 2->119 121 12 other signatures 2->121 12 cmd.exe 1 2->12         started        15 wscript.exe 2->15         started        17 explorer.exe 2->17         started        signatures3 process4 dnsIp5 123 Suspicious powershell command line found 12->123 125 Wscript starts Powershell (via cmd or directly) 12->125 127 Obfuscated command line found 12->127 20 powershell.exe 12 12->20         started        22 conhost.exe 12->22         started        129 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->129 131 Suspicious execution chain found 15->131 24 cmd.exe 15->24         started        89 ax-0003.ax-msedge.net 150.171.27.12, 443, 49732 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->89 133 System process connects to network (likely due to code injection or exploit) 17->133 135 Query firmware table information (likely to detect VMs) 17->135 signatures6 process7 process8 26 cmd.exe 1 20->26         started        29 powershell.exe 24->29         started        31 conhost.exe 24->31         started        file9 85 C:\Users\user\Downloads\MBS.exe, PE32+ 26->85 dropped 87 C:\ProgramData\IntelDrIver\rEgX.cmd, DOS 26->87 dropped 33 MBS.exe 28 26->33         started        37 MBS.exe 13 26->37         started        39 MBS.exe 12 26->39         started        43 2 other processes 26->43 41 cmd.exe 29->41         started        process10 file11 73 C:\...\ocZpcnZkaclvkdhsyaocvoaxkzpaiywq.xml, XML 33->73 dropped 75 C:\Users\user\AppData\...\ggosaenmquqn.vbs, ASCII 33->75 dropped 77 C:\Users\user\AppData\...\qianbnfp.cmdline, Unicode 33->77 dropped 99 Injects code into the Windows Explorer (explorer.exe) 33->99 101 Writes to foreign memory regions 33->101 103 Powershell is started from unusual location (likely to bypass HIPS) 33->103 105 Creates a thread in another existing process (thread injection) 33->105 45 explorer.exe 33->45 injected 49 csc.exe 33->49         started        52 schtasks.exe 33->52         started        60 2 other processes 33->60 107 Uses schtasks.exe or at.exe to add and modify task schedules 37->107 109 Compiles code for process injection (via .Net compiler) 37->109 111 Reads the Security eventlog 37->111 113 Reads the System eventlog 39->113 54 MBS.exe 41->54         started        56 MBS.exe 41->56         started        58 MBS.exe 41->58         started        62 2 other processes 41->62 signatures12 process13 dnsIp14 97 151.247.219.188, 49724, 7771 RASANAIR Iran (ISLAMIC Republic Of) 45->97 137 System process connects to network (likely due to code injection or exploit) 45->137 139 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->139 141 Unusual module load detection (module proxying) 45->141 64 WerFault.exe 45->64         started        79 C:\Users\user\AppData\Local\...\qianbnfp.dll, PE32 49->79 dropped 66 cvtres.exe 49->66         started        81 C:\Users\user\AppData\Local\...\di4b1c2a.0.cs, Unicode 54->81 dropped 143 Powershell is started from unusual location (likely to bypass HIPS) 54->143 145 Reads the Security eventlog 54->145 147 Reads the System eventlog 54->147 68 csc.exe 54->68         started        file15 signatures16 process17 file18 83 C:\Users\user\AppData\Local\...\di4b1c2a.dll, PE32 68->83 dropped 71 cvtres.exe 68->71         started        process19
Score:
95%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/da4bd34f7700dfc0065cc6fda8ccfd277ec30de7c85109444d626843058859c4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da4bd34f7700dfc0065cc6fda8ccfd277ec30de7c85109444d626843058859c4/
Verdict:
Malicious
Threat:
Trojan.BAT.Obfus
Link:
https://tip.neiki.dev/file/da4bd34f7700dfc0065cc6fda8ccfd277ec30de7c85109444d626843058859c4
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3jf5gt3xadp4abs4y362rth5e57mgdphzbiqsrcnmjuegbmilhca._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/251225-nylvwatnhp/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/da4bd34f7700dfc0065cc6fda8ccfd277ec30de7c85109444d626843058859c4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/45963/

Comments