MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df427364a3983eeb6defc880fceb46cbd749dbbc730986bbbd053aa35efd7fdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df427364a3983eeb6defc880fceb46cbd749dbbc730986bbbd053aa35efd7fdb
SHA3-384 hash: 59335eee4554bf3878867dfc6962b984563a9721815200c80f6e49fc8d048b7e367b898bcb2fdcf53a16de1b3d4bdfd6
SHA1 hash: e00dfeee714bc4ee22972cdee2d0fb945e8c3576
MD5 hash: b408f02b85d0c3d1f36b1dc56dd9d5ad
humanhash: indigo-friend-sad-chicken
File name:Purchase Order.bat
Download: download sample
File size:168'898 bytes
First seen:2025-10-30 08:26:19 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 3072:bteAB7YGRIkVlIK1TFio7ppIPn8JYwxHFKEIlmi:bteAB7YGHVfpMo7pOPn8JYwxlKEIlmi
Threatray 1'380 similar samples on MalwareBazaar
TLSH T1E8F36F3BA760A890CF192090DC15EA7AB3F5C74EB7922618BC87C57164701ED8B77D2B
Magika batch
Reporter Anonymous
Tags:bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
32
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order71805.bat
Verdict:
Suspicious activity
Analysis date:
2025-10-30 07:54:53 UTC
Tags:
susp-powershell
Link:
https://app.any.run/tasks/237fa7a3-1b26-4581-a53f-5c8885f7a8ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34742/
Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6903213d9942f1282eca653d
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Running batch commands
Launching cmd.exe command interpreter
Launching a process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 evasive masquerade obfuscated powershell
Link:
https://www.filescan.io/uploads/6903213904d9479dbf554a3c/reports/cce40df3-53a2-4d4c-91d3-31cfbb19eaf0/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/df427364a3983eeb6defc880fceb46cbd749dbbc730986bbbd053aa35efd7fdb
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-10-30T03:51:00Z UTC
Last seen:
2025-11-01T06:42:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.Win32.BroPass.sb HEUR:Trojan.PowerShell.Tesre.sb Backdoor.MSIL.XWorm.b Trojan.PowerShell.AmsiBypass.sb PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Tesre.gen Backdoor.Agent.TCP.C&C Trojan-PSW.Win32.Stealer.sb Trojan.BAT.Agent.sb
Link:
https://opentip.kaspersky.com/df427364a3983eeb6defc880fceb46cbd749dbbc730986bbbd053aa35efd7fdb/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/df427364a3983eeb6defc880fceb46cbd749dbbc730986bbbd053aa35efd7fdb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df427364a3983eeb6defc880fceb46cbd749dbbc730986bbbd053aa35efd7fdb/
Verdict:
Malicious
Threat:
Backdoor.MSIL.XWorm
Link:
https://tip.neiki.dev/file/df427364a3983eeb6defc880fceb46cbd749dbbc730986bbbd053aa35efd7fdb
Threat name:
Script-BAT.Trojan.Xworm
Create hunting rule
Status:
Suspicious
First seen:
2025-10-30 07:57:44 UTC
File Type:
Text (Batch)
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=35bhgzfdta7ow3ppzcapz22gzplutw54omeyno55au5kgxx5p7nq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
04ed4c7cbfc1c59414207610ad914115c870308143c0b9bb911dcc6cd7a84619
0ab443fab4801052dad2c86ca316328d520447ad0dc7246c0235e2eef2e97a1d
1cbbb5dfc0c192f12c73ffef24f957c47bf36fb0c7c3b47076bac0872fac33a1
203d89bb4cc6f43407327ed2c132bbe394cb55f7ff3cd4f84038943df2e0ebf7
24d5c728af9ea56d4148f0d00e443db04621415c3730ab68b6ad8b8b3ec534bf
5620d362152320c8b3dff6f8f3cd009f4d68d3b994ce2b9a4fcc432d32ec919b
b51dece1c0b3a6422d16176ce2397cfcdde099be7700cc45b8c79c30d3727489
bbd166e6d916f328c29a4e19a4cb2f686c447b197eb7291def515bc3a63fdda7
d17f5a248883a81f2d0b01f801c62d60bdf5bda00c455f7823ffac056b4165c6
error
+ 1'370 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
execution
Link:
https://tria.ge/reports/251030-kb5gxsez2h/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/df427364a398/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df427364a3983eeb6defc880fceb46cbd749dbbc730986bbbd053aa35efd7fdb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34742/

Comments