MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9711aa0601544265b4f9c24442069c4edcd331af55798ca2e4a4d25532ddfd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9711aa0601544265b4f9c24442069c4edcd331af55798ca2e4a4d25532ddfd8
SHA3-384 hash: 2f1b3f91298c6da95676384493b02f948831afb775dd89db1fc5be83e3f4ca801fb3c2ba89ac90835f16afc6b703c101
SHA1 hash: 6785975153e6e17de8d88ba660cbc7d2f0a46166
MD5 hash: 529fa591923f4b4a840d1ea29f064a21
humanhash: double-ink-wolfram-lake
File name:z21awb_original.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:96'393 bytes
First seen:2025-06-02 08:30:10 UTC
Last seen:2025-06-02 10:42:26 UTC
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 1536:7Y7t7uk9/jZAdArmEwiq9mXD6j8vk6r8U3xgvBUpBc5c90Uo28+BkYKevcDsBf:U39/nYmTFVhk4Bdov9IcDC
Threatray 1'844 similar samples on MalwareBazaar
TLSH T19393B739CBA9DFF40B3B74C0998E2A5A20CD1BE3DD221A0DE9A1055C2D354159F3DADE
Magika vba
Reporter FXOLabs
Tags:bat xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
z21awb_original.bat
Verdict:
No threats detected
Analysis date:
2025-06-02 08:34:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cf1ed60d-3f45-4495-aa70-ab6c0d80aabd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/6851/
Detection(s):
SecuriteInfo.com.BAT.Obfus-4.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.BAT.Obfus-3.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683d6223acf88f5815eb210d
Tags:
obfuscate autorun xtreme shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 evasive obfuscated powershell
Link:
https://www.filescan.io/uploads/683d613e171e01f959332e8a/reports/b27ce972-fa21-4d67-8a42-94eaa122c394/overview
Verdict:
Suspicious
Labled as:
BAT/Agent.AZY
Link:
https://www.hybrid-analysis.com/sample/e9711aa0601544265b4f9c24442069c4edcd331af55798ca2e4a4d25532ddfd8
Result
Threat name:
Batch Injector, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1703828
Signature
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Uses dynamic DNS services
Yara detected Batch Injector
Yara detected Powershell decode and execute
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1703828 Sample: z21awb_original.bat Startdate: 02/06/2025 Architecture: WINDOWS Score: 100 74 businesstradings.duckdns.org 2->74 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Multi AV Scanner detection for submitted file 2->82 86 15 other signatures 2->86 8 cmd.exe 1 2->8         started        11 cmd.exe 1 2->11         started        13 cmd.exe 1 2->13         started        15 16 other processes 2->15 signatures3 84 Uses dynamic DNS services 74->84 process4 signatures5 92 Suspicious powershell command line found 8->92 94 Bypasses PowerShell execution policy 8->94 17 cmd.exe 3 8->17         started        20 conhost.exe 8->20         started        22 cmd.exe 2 11->22         started        24 conhost.exe 11->24         started        26 cmd.exe 2 13->26         started        28 conhost.exe 13->28         started        30 cmd.exe 2 15->30         started        32 cmd.exe 2 15->32         started        34 30 other processes 15->34 process6 signatures7 76 Suspicious powershell command line found 17->76 36 powershell.exe 18 17->36         started        40 conhost.exe 17->40         started        42 powershell.exe 22->42         started        44 conhost.exe 22->44         started        46 powershell.exe 26->46         started        48 conhost.exe 26->48         started        50 2 other processes 30->50 52 2 other processes 32->52 54 28 other processes 34->54 process8 file9 56 C:\Users\user\AppData\Roaming\...\47f7.bat, ASCII 36->56 dropped 88 Drops script or batch files to the startup folder 36->88 90 Found suspicious powershell code related to unpacking or dynamic code loading 36->90 58 C:\Users\user\AppData\Roaming\...\ed1d.bat, ASCII 42->58 dropped 60 C:\Users\user\AppData\Roaming\...\3974.bat, ASCII 46->60 dropped 62 C:\Users\user\AppData\Roaming\...\82d9.bat, ASCII 50->62 dropped 64 C:\Users\user\AppData\Roaming\...\6194.bat, ASCII 52->64 dropped 66 C:\Users\user\AppData\Roaming\...\f8a9.bat, ASCII 54->66 dropped 68 C:\Users\user\AppData\Roaming\...\de16.bat, ASCII 54->68 dropped 70 C:\Users\user\AppData\Roaming\...\d4d5.bat, ASCII 54->70 dropped 72 11 other malicious files 54->72 dropped signatures10
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e9711aa0601544265b4f9c24442069c4edcd331af55798ca2e4a4d25532ddfd8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9711aa0601544265b4f9c24442069c4edcd331af55798ca2e4a4d25532ddfd8/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/e9711aa0601544265b4f9c24442069c4edcd331af55798ca2e4a4d25532ddfd8
Threat name:
Script.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-06-02 08:30:52 UTC
File Type:
Text
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5fyrvidacvccmw2ptqseiidjytw42my26vlzrsrojjgskuzn37ma._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
1ba574b61dca255ef93e884d9cbad520403166562a7ae8ce28417080d52fe0a7
XWorm
2aa37e753ce1273f6ee4968bec7e2381b79a85ffbd1ee3da1fe9b4c1ea3ec4cd
XWorm
4c3c7c82fef77195b527cac193188f01065d38da118efdd8d51d8fb53f5af87e
XWorm
4fecb0662c4acd463645475e4efca2a14f4afa0960f34cdfd3e50346005efd83
XWorm
8a10eec1f7fd5b66ad2095eaa8481e9bfd6669033af3233c4bfeaf5a1de9ff3a
XWorm
a90c46b549a798b086e2ef3ee17728c7456cdf3730b25f50500143e3a56de1f8
XWorm
cabe7c8088610b32f234f920fdfc9c0ba3c64301e1cb3bd443f400b9998ba50f
XWorm
cb08ed88dd97692627d9bed9a5201369574a1ef581aa52cadd674b26461b1c9a
XWorm
e5269c1e1058ff5344999040ab4d02ad3cc2cb1020a2e1d9de9c62fed5e9123f
XWorm
error
XWorm
fa998dd5153a01397534f381ab5655a7afeb94e4b236e0dc4ffbed6891011949
XWorm
+ 1'834 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/250602-keltzsaj3v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e9711aa06015/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9711aa0601544265b4f9c24442069c4edcd331af55798ca2e4a4d25532ddfd8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Batch (bat) bat e9711aa0601544265b4f9c24442069c4edcd331af55798ca2e4a4d25532ddfd8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/6851/

Comments