MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7ca4a3b12b6cd71c050af363ecc8199e444a1e0dc3cf2fde661cd7a8936cd7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7ca4a3b12b6cd71c050af363ecc8199e444a1e0dc3cf2fde661cd7a8936cd7b
SHA3-384 hash: bac193d89ccffb04d2d13baff98a917052b694b55f440041e156aef17d4a4d3a14b0f0454b3f21adda8d5dcde8083bdb
SHA1 hash: 792cbf7bdf538b6d97748e1f2810a1e97e68ee8e
MD5 hash: 8bc9ca287255d88bdf4a6976f4daefb1
humanhash: glucose-twenty-autumn-echo
File name:teast.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:381'549 bytes
First seen:2025-05-28 21:32:27 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 6144:UwGXCDZUkUnJqNZxSaOxjwuHijQCoEWD8iwb0ED9zKZ5/Wu2CP0xlU1sxX:U5XCD+kU4NZxswu+QyWD8iwbv1Q5/GxV
Threatray 40 similar samples on MalwareBazaar
TLSH T12E84DF7FD2B3060B4A1AB9D0C61E052C714DAF720175C6A5CFA58E603DCDB529E33AE6
Magika powershell
Reporter BastianHein
Tags:bat xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
CL CL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
teast.bat
Verdict:
No threats detected
Analysis date:
2025-05-26 19:19:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e881a84b-13c7-4955-acd7-bf5b901970e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/6103/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.76505175.21815.32429.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6834beb9668438e362e7267f
Tags:
emotet shell virus sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 cmd evasive explorer lolbin msconfig obfuscated packed powershell reconnaissance
Link:
https://www.filescan.io/uploads/6837811dfd02ed5e058d3fdc/reports/24a1169b-82e2-4aad-9c44-ee0a7f1606b6/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f7ca4a3b12b6cd71c050af363ecc8199e444a1e0dc3cf2fde661cd7a8936cd7b
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1701123
Signature
Creates a thread in another existing process (thread injection)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Powershell is started from unusual location (likely to bypass HIPS)
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Potentially Suspicious PowerShell Child Processes
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Powershell decode and execute
Yara detected Powershell decrypt and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1701123 Sample: teast.bat Startdate: 28/05/2025 Architecture: WINDOWS Score: 100 53 eg-huge.gl.at.ply.gg 2->53 55 ax-ring.ax-9999.ax-msedge.net 2->55 57 ax-9999.ax-msedge.net 2->57 73 Malicious sample detected (through community Yara rule) 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 Yara detected Powershell decrypt and execute 2->77 79 7 other signatures 2->79 10 cmd.exe 1 2->10         started        13 Discord.exe 22 2->13         started        signatures3 process4 signatures5 87 Suspicious powershell command line found 10->87 15 powershell.exe 21 35 10->15         started        20 conhost.exe 10->20         started        22 cmd.exe 1 10->22         started        89 Powershell is started from unusual location (likely to bypass HIPS) 13->89 91 Reads the Security eventlog 13->91 93 Reads the System eventlog 13->93 24 conhost.exe 13->24         started        process6 dnsIp7 59 eg-huge.gl.at.ply.gg 147.185.221.28, 55863 SALSGIVERUS United States 15->59 49 C:\Users\user\AppData\Roaming\Discord.exe, PE32+ 15->49 dropped 51 \Device\ConDrv, ASCII 15->51 dropped 65 Query firmware table information (likely to detect VMs) 15->65 67 Injects code into the Windows Explorer (explorer.exe) 15->67 69 Uses schtasks.exe or at.exe to add and modify task schedules 15->69 71 3 other signatures 15->71 26 explorer.exe 122 2 15->26 injected 29 svchost.exe 15->29 injected 31 svchost.exe 15->31 injected 34 32 other processes 15->34 file8 signatures9 process10 dnsIp11 95 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 26->95 36 Discord.exe 26->36         started        39 Discord.exe 26->39         started        97 System process connects to network (likely due to code injection or exploit) 29->97 99 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 29->99 101 Queries temperature or sensor information (via WMI often done to detect virtual machines) 29->101 61 eg-huge.gl.at.ply.gg 31->61 63 23.66.134.242, 443, 49687, 49688 AKAMAI-ASUS United States 34->63 41 conhost.exe 34->41         started        43 WMIADAP.exe 34->43         started        signatures12 process13 signatures14 81 Powershell is started from unusual location (likely to bypass HIPS) 36->81 83 Reads the Security eventlog 36->83 85 Reads the System eventlog 36->85 45 conhost.exe 36->45         started        47 conhost.exe 39->47         started        process15
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/f7ca4a3b12b6cd71c050af363ecc8199e444a1e0dc3cf2fde661cd7a8936cd7b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f7ca4a3b12b6cd71c050af363ecc8199e444a1e0dc3cf2fde661cd7a8936cd7b/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/f7ca4a3b12b6cd71c050af363ecc8199e444a1e0dc3cf2fde661cd7a8936cd7b
Threat name:
Script-BAT.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2025-05-26 19:19:23 UTC
File Type:
Text
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=67feuoysw3gxdqcqv43d5tebthsejipa3q6pf7pgmhgxvcjwzv5q._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
xworm
Create hunting rule
r77
Create hunting rule
Similar samples:
093963c3fd2e61c4d8ac56c62a4fe9426bd348b65a9f681d2322f9a51fa1d655
XWorm
1c94f84e3fa2094147335a35c973392186a19fa774419d66b3d39d331e55c167
XWorm
2a93f789e9db7989d85f309b704bf7e1a01188f38533ab940f2ae18815bc2158
XWorm
460e7320f7296e8f2b1fd0e980b0c2b2d3a1f6ae6376b4f8bde7b33f696bd472
XWorm
7cbcd631a4e13b12f1577b073d66c0ff99a3b1d59589e8064cda7b1a06d7cfac
XWorm
9800fc9d430775d5d589dca968cf9973a6386cd48e393f14891e611c4872f132
XWorm
9964275838163379d80a317544e6b2be35216b20be75a950be36bf331ed61878
XWorm
ac8734f52d12c32450bd49a97fc803c730e4f03b89698bb49e9db473c7730400
XWorm
error
XWorm
+ 30 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:xworm defense_evasion execution loader persistence rat trojan
Link:
https://tria.ge/reports/250528-1dxg4atmt9/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Detects DonutLoader
DonutLoader
Donutloader family
Xworm
Xworm family
Malware Config
C2 Extraction:
eg-huge.gl.at.ply.gg:55863
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f7ca4a3b12b6cd71c050af363ecc8199e444a1e0dc3cf2fde661cd7a8936cd7b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/6103/

Comments