MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e72ac0721aa51541d09b605b6e1d91c723ab37f463d06f18dffe78941537c54d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	e72ac0721aa51541d09b605b6e1d91c723ab37f463d06f18dffe78941537c54d
SHA3-384 hash:	fe350feee0d01f5b44e3042f43ba5d72cd31c961500930666b5f18d7c1885b457693a98d2efec3cbf0ad171494df3d64
SHA1 hash:	509b75d218664e74b6b2874cc77e5ab1e7d1bdf3
MD5 hash:	c30446273a7a15c74ecc01a316e16260
humanhash:	mountain-golf-mobile-island
File name:	Wycena_Pilne_Zamowienie_Trust_Machinery_830006.bat
Download:	download sample
Signature	XWorm Create hunting rule
File size:	9'800 bytes
First seen:	2025-11-06 08:14:57 UTC
Last seen:	2025-11-10 07:50:08 UTC
File type:	bat
MIME type:	text/plain
ssdeep	192:fu8j1+G8+7/uzzzzzzzzzzzzzzzzzzzzzzDZzzzzzzzzzzzzzzzzzzzzzzOzzzze:f/j1+D2/uzzzzzzzzzzzzzzzzzzzzzz3
Threatray	2'366 similar samples on MalwareBazaar
TLSH	T1A41226A6B6C7AC1BEB648180CA7149F14B3AD8C0EFDCE5EC1711405A18BA2C6D3D65D7
Magika	vba
Reporter	Anonymous
Tags:	bat xworm

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

_e72ac0721aa51541d09b605b6e1d91c723ab37f463d06f18dffe78941537c54d.txt

Verdict:

No threats detected

Analysis date:

2025-11-06 08:15:48 UTC

Tags:

susp-powershell

Link:

https://app.any.run/tasks/02b6dcfe-3c9d-406c-a72f-d75c956dba74

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/35596/

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690c5929ea0f3e915c2370a6

Tags:

obfuscate xtreme shell

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Connection attempt to an infection source

Using the Windows Management Instrumentation requests

Query of malicious DNS domain

Sending a TCP request to an infection source

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

base64 batch obfuscated powershell

Link:

https://www.filescan.io/uploads/690c59244425b0b1fd17ed4d/reports/6384e8e2-5770-497b-b514-210cca086c4f/overview

Verdict:

Malicious

Labled as:

TrojanDownloader/BAT.Netloader

Link:

https://www.hybrid-analysis.com/sample/e72ac0721aa51541d09b605b6e1d91c723ab37f463d06f18dffe78941537c54d

Verdict:

Malicious

File Type:

text

First seen:

2025-11-05T16:46:00Z UTC

Last seen:

2025-11-07T01:48:00Z UTC

Hits:

~100

Detections:

HEUR:Trojan.BAT.Generic

Link:

https://opentip.kaspersky.com/e72ac0721aa51541d09b605b6e1d91c723ab37f463d06f18dffe78941537c54d/results?tab=lookup

Score:

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/e72ac0721aa51541d09b605b6e1d91c723ab37f463d06f18dffe78941537c54d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e72ac0721aa51541d09b605b6e1d91c723ab37f463d06f18dffe78941537c54d/

Verdict:

Malicious

Threat:

Trojan.BAT

Link:

https://tip.neiki.dev/file/e72ac0721aa51541d09b605b6e1d91c723ab37f463d06f18dffe78941537c54d

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2025-11-06 08:15:34 UTC

File Type:

Text (Batch)

AV detection:

8 of 24 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=44vma4q2uukudue3mbnw4hmry4r2wn7umpig6gg77z4jifjxyvgq._file

Verdict:

malicious

Label(s):

xworm

XWorm

3a444e7690f35fee4be070d0656bc7f0adab9bdcec798d5af27fc3c93e08f611

XWorm

3b39da6b761aebfac6324138212fd5a6eeb89a50ef1e7b8f8a813c07ac920062

XWorm

41cdbafba89bad77d1784458e5c226eb405ca9f46bb65a38031c48a97e6eef84

XWorm

61c99aca559a36c194dac72b7871716b26722cbcc3510e77f9354d942f0cf021

XWorm

732975f6429f6127a1927f1a5ebeb2a28b2d64e8b7b2c22df37708ac165074cc

XWorm

error

XWorm

+ 2'356 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:phantomvai family:xworm discovery execution loader persistence rat trojan

Link:

https://tria.ge/reports/251106-j5t3lshk8x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Detect Xworm Payload

Detects PhantomVAI loader aka VMDetectLoader, CaminhoLoader

PhantomVAI, VMDetectLoader, CaminhoLoader

Phantomvai family

Xworm

Xworm family

Malware Config

C2 Extraction:

manythingsilove.duckdns.org:5290
plentymattersub.duckdns.org:5290
pradaguccimaneto.freeddns.org:5290

Dropper Extraction:

http://ia600407.us.archive.org/7/items/msi-pro-with-b-64_202511/MSI_PRO_with_b64.png

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e72ac0721aa51541d09b605b6e1d91c723ab37f463d06f18dffe78941537c54d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Base64_Encoded_Powershell_Directives Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/35596/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample