MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df56b2796d6a3dc1cb0dd449bde500ee024aba2cba51aec803f1d14672c2e6ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df56b2796d6a3dc1cb0dd449bde500ee024aba2cba51aec803f1d14672c2e6ce
SHA3-384 hash: e7a3c34c12bb89477ddeedfb8f933bfd23d2c7e3cce4dea93499e0f0869bb4b76544e988981ea3e4d795e9fd06b3480a
SHA1 hash: 8af49737c85c0bff05fd7e9616425216402993fa
MD5 hash: 217fbf93a2faaf3d694538f55885580f
humanhash: river-victor-georgia-yellow
File name:awb_documents_bl_delivery_24_03_2025_0000000-pdf.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:284'719 bytes
First seen:2025-03-25 01:30:21 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 6144:XHf/lYdiaI6yM05Kk3mBAk7a7Ur1m6fC1nRlKqcit:XHf/lmitM0AYmBeYr14Nt
Threatray 2'104 similar samples on MalwareBazaar
TLSH T1E8549EFBE1E47ED407D765E90098331C486C8B8313690F2CF5AD72D61AD098EABBA547
Magika txt
Reporter BastianHein
Tags:bat xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
CL CL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c5191b7eddb78ebb229f15e0d25edeba945cbb7fa5126560085a4c36114c2500
Verdict:
Malicious activity
Analysis date:
2025-03-25 01:23:06 UTC
Tags:
arch-exec remote xworm
Link:
https://app.any.run/tasks/4fae59b3-875a-429c-8297-0eb1c83b9e52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BAT.Agent-36.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e20579bb84e066269ea8ca
Tags:
vmdetect autorun
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm masquerade obfuscated
Link:
https://www.filescan.io/uploads/67e2075fa08e28b31da5ee83/reports/33372342-025b-48a8-830d-4771f8f785c4/overview
Verdict:
Malicious
Labled as:
BAT/Agent.AZY
Link:
https://www.hybrid-analysis.com/sample/df56b2796d6a3dc1cb0dd449bde500ee024aba2cba51aec803f1d14672c2e6ce
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Result
Threat name:
Batch Injector, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1647605
Signature
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
Yara detected Batch Injector
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1647605 Sample: awb_documents_bl_delivery_2... Startdate: 25/03/2025 Architecture: WINDOWS Score: 100 148 freeetradingzone.duckdns.org 2->148 152 Suricata IDS alerts for network traffic 2->152 154 Found malware configuration 2->154 156 Malicious sample detected (through community Yara rule) 2->156 160 20 other signatures 2->160 13 cmd.exe 1 2->13         started        16 cmd.exe 1 2->16         started        18 cmd.exe 1 2->18         started        20 6 other processes 2->20 signatures3 158 Uses dynamic DNS services 148->158 process4 signatures5 176 Suspicious powershell command line found 13->176 178 Bypasses PowerShell execution policy 13->178 22 cmd.exe 3 13->22         started        25 conhost.exe 13->25         started        27 cmd.exe 2 16->27         started        29 conhost.exe 16->29         started        31 cmd.exe 2 18->31         started        33 conhost.exe 18->33         started        35 cmd.exe 20->35         started        37 cmd.exe 20->37         started        39 10 other processes 20->39 process6 signatures7 166 Suspicious powershell command line found 22->166 41 powershell.exe 21 22->41         started        46 conhost.exe 22->46         started        48 powershell.exe 27->48         started        50 conhost.exe 27->50         started        52 powershell.exe 31->52         started        54 conhost.exe 31->54         started        56 2 other processes 35->56 58 2 other processes 37->58 60 8 other processes 39->60 process8 dnsIp9 150 freeetradingzone.duckdns.org 206.123.152.105, 3911, 49696 HVC-ASUS United States 41->150 144 C:\Users\user\...\StartupScript_e636f003.cmd, ASCII 41->144 dropped 146 C:\Users\user\AppData\...\tmpE1C7.tmp.bat, DOS 41->146 dropped 170 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->170 172 Adds a directory exclusion to Windows Defender 41->172 174 Found suspicious powershell code related to unpacking or dynamic code loading 41->174 62 powershell.exe 23 41->62         started        65 cmd.exe 1 41->65         started        67 cmd.exe 1 48->67         started        69 cmd.exe 52->69         started        71 cmd.exe 56->71         started        73 cmd.exe 58->73         started        75 cmd.exe 60->75         started        77 cmd.exe 60->77         started        79 2 other processes 60->79 file10 signatures11 process12 signatures13 180 Loading BitLocker PowerShell Module 62->180 81 conhost.exe 62->81         started        83 2 other processes 65->83 85 2 other processes 67->85 88 2 other processes 69->88 90 2 other processes 71->90 92 2 other processes 73->92 94 2 other processes 75->94 96 2 other processes 77->96 98 4 other processes 79->98 process14 signatures15 100 powershell.exe 85->100         started        103 conhost.exe 85->103         started        105 powershell.exe 88->105         started        107 conhost.exe 88->107         started        109 2 other processes 90->109 111 2 other processes 92->111 113 2 other processes 94->113 164 Suspicious powershell command line found 96->164 115 2 other processes 96->115 117 2 other processes 98->117 process16 signatures17 162 Adds a directory exclusion to Windows Defender 100->162 119 powershell.exe 100->119         started        122 powershell.exe 105->122         started        124 powershell.exe 109->124         started        126 powershell.exe 111->126         started        128 powershell.exe 113->128         started        130 powershell.exe 115->130         started        process18 signatures19 168 Loading BitLocker PowerShell Module 119->168 132 conhost.exe 119->132         started        134 conhost.exe 122->134         started        136 conhost.exe 124->136         started        138 conhost.exe 126->138         started        140 conhost.exe 128->140         started        142 conhost.exe 130->142         started        process20
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/df56b2796d6a3dc1cb0dd449bde500ee024aba2cba51aec803f1d14672c2e6ce
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df56b2796d6a3dc1cb0dd449bde500ee024aba2cba51aec803f1d14672c2e6ce/
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-03-25 01:23:07 UTC
File Type:
Text
AV detection:
7 of 24 (29.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=35lle6lnni64dsyn2re33zia5ybevormxji25sad6hium4wc43ha._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
4953d68d68bf137417321bbfc3b7207ee6b2eab0c9600be88bdd3501961ea137
XWorm
6513f2777a217402f9fa6196dacc31c948dfdde0680ccba57879b1c8d2cd11f8
XWorm
7a377adab50bbdcd81aef43cd3f7e16e21bc6e910871d60fd0fbac83950bd4f7
XWorm
cf14a8622e9a0ab68011a62ee9e9ed33327ff924763fcd4a5f97c5fe8a6b8495
XWorm
d0947eae56860259ab301c62cfdcd0f8c77a59edadd82880b7fd743cf95a8e7a
XWorm
error
XWorm
+ 2'094 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/250325-bxfw1syzas/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
freeetradingzone.duckdns.org:3911
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/df56b2796d6a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df56b2796d6a3dc1cb0dd449bde500ee024aba2cba51aec803f1d14672c2e6ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments