MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0136c60554112e94e8ec739c2a19754e9f844d3979a286b17e0e79fff275993. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0136c60554112e94e8ec739c2a19754e9f844d3979a286b17e0e79fff275993
SHA3-384 hash: 24d62e3babf2ff3ba5565a4a269ef78dde772309ef830a5c3652cb9096e11de7f441a18d36898bb249af77522f0f77a0
SHA1 hash: 1965b4eb1e935eb8c88bd60cb81be10430ba7c86
MD5 hash: 431c79278795c1cc1c332f66cabc0757
humanhash: bacon-north-six-nitrogen
File name:431c79278795c1cc1c332f66cabc0757.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:61'771 bytes
First seen:2025-02-26 08:56:34 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 1536:/dAWoIhrxMsEarqcWaLXcbRqKeCuwY4cD:/AIhqslrqcWajlD
Threatray 1'999 similar samples on MalwareBazaar
TLSH T15F53BF7914A6C6248D8A657CC05F0B6884F43001D3B17CA9F3B06DA5967DCBE1BD2B9E
Magika powershell
Reporter abuse_ch
Tags:bat xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
431c79278795c1cc1c332f66cabc0757.bat
Verdict:
No threats detected
Analysis date:
2025-02-26 10:06:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2ec3d239-d739-4d0e-99a5-3afb9dfa437f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BV.Agent-BZW.179.22960.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67bed7f6a0fd713c335ce989
Tags:
obfuscate xtreme shell
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/67bed76860f4b4f0724cb765/reports/1d853dc8-40c7-42f0-a1af-80d0a7f8368c/overview
Verdict:
Malicious
Labled as:
PowerShell/Kryptik.H trojan
Link:
https://www.hybrid-analysis.com/sample/e0136c60554112e94e8ec739c2a19754e9f844d3979a286b17e0e79fff275993
Result
Verdict:
SUSPICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1624467
Signature
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell decrypt and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1624467 Sample: fQsD4OrY1o.bat Startdate: 26/02/2025 Architecture: WINDOWS Score: 100 63 acehere.duckdns.org 2->63 65 licensing.tools 2->65 75 Suricata IDS alerts for network traffic 2->75 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 83 20 other signatures 2->83 12 cmd.exe 1 2->12         started        15 wscript.exe 1 2->15         started        signatures3 81 Uses dynamic DNS services 63->81 process4 signatures5 97 Suspicious powershell command line found 12->97 99 Wscript starts Powershell (via cmd or directly) 12->99 101 Bypasses PowerShell execution policy 12->101 17 powershell.exe 17 21 12->17         started        22 conhost.exe 12->22         started        103 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->103 105 Suspicious execution chain found 15->105 process6 dnsIp7 61 licensing.tools 172.67.207.176, 443, 49706 CLOUDFLARENETUS United States 17->61 57 C:\Users\user\AppData\...\lg2h4sichn45.vbs, ASCII 17->57 dropped 59 C:\Users\user\AppData\...\lg2h4sichn45.bat, DOS 17->59 dropped 85 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->85 87 Suspicious powershell command line found 17->87 89 Adds a directory exclusion to Windows Defender 17->89 24 wscript.exe 1 17->24         started        27 powershell.exe 37 17->27         started        29 powershell.exe 23 17->29         started        31 ReAgentc.exe 3 17->31         started        file8 signatures9 process10 signatures11 91 Wscript starts Powershell (via cmd or directly) 24->91 33 cmd.exe 24->33         started        93 Loading BitLocker PowerShell Module 27->93 36 conhost.exe 27->36         started        38 conhost.exe 29->38         started        40 conhost.exe 31->40         started        process12 signatures13 71 Suspicious powershell command line found 33->71 73 Wscript starts Powershell (via cmd or directly) 33->73 42 powershell.exe 33->42         started        46 conhost.exe 33->46         started        process14 dnsIp15 67 acehere.duckdns.org 194.59.31.74, 5938, 62271 COMBAHTONcombahtonGmbHDE Germany 42->67 95 Adds a directory exclusion to Windows Defender 42->95 48 powershell.exe 42->48         started        51 ReAgentc.exe 42->51         started        signatures16 process17 signatures18 69 Loading BitLocker PowerShell Module 48->69 53 conhost.exe 48->53         started        55 conhost.exe 51->55         started        process19
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e0136c60554112e94e8ec739c2a19754e9f844d3979a286b17e0e79fff275993
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0136c60554112e94e8ec739c2a19754e9f844d3979a286b17e0e79fff275993/
Threat name:
Script-BAT.Backdoor.Xworm
Create hunting rule
Status:
Suspicious
First seen:
2025-02-25 06:45:10 UTC
File Type:
Text (PowerShell)
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ajwyycviejostuoy444fimxktu7qrgts6ncq2yx4dtz77zhlgjq._file
Verdict:
malicious
Label(s):
unknown_loader_040
Create hunting rule
xworm
Create hunting rule
Similar samples:
33d5fb4708217397a18bbea3a1e10c07544bb81e642555ff9ae18ffd67c1e436
XWorm
48e07efb20903e74d800dfd9cd450fd1ee206e27ea4681b4c46e0e225b788b15
XWorm
551b0a6bc3aa19879c1936a0d91a73e44e57dffa057a3ac90bf8b009e840e516
XWorm
8048406056b1a1a91b56725c1c0b89e3b8060bf5a45861484a73728d222ccbc2
XWorm
929781941202c78878fbbf8e872f8559cdbd074c4e37f9dfcc8164422fbf9ddc
XWorm
bd34d96d669f3973d2a0fd07c351b387d065bf1f30decde24f74ebe84f5dd553
XWorm
cfe5641a801f7e3123992589a5543f667d77d86e2880c1163fa61517d4bcfb2c
XWorm
d8e3240539b9d124c081506af59cf87d47b89139e423894063ac9389697b49a2
XWorm
error
XWorm
+ 1'989 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/250226-kwnd5stjt5/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
acehere.duckdns.org:5938
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e0136c60554112e94e8ec739c2a19754e9f844d3979a286b17e0e79fff275993

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XWorm

Batch (bat) bat e0136c60554112e94e8ec739c2a19754e9f844d3979a286b17e0e79fff275993

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3452082/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3452083/

Comments