MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd507e33cd59e92d5ab4abaeb54a2b2f60194c7075441d7f1d3c92c774456a8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd507e33cd59e92d5ab4abaeb54a2b2f60194c7075441d7f1d3c92c774456a8e
SHA3-384 hash: 49558f7e1f7a9da121bcc836b0bbc871a9b8299b151b1e0d05efd5529aafc37f875d976228cf7250b9dc9ea037de75b7
SHA1 hash: 8903bbfef92717af91783b767cbfa21eb7e79541
MD5 hash: 17d6ea137991368c684bf0d5b65d96be
humanhash: pizza-bacon-black-october
File name:awb_bl_july_shipping_Inv_07_07_2025_000000000000000000000_pdf.bat
Download: download sample
Signature XWorm
Create hunting rule
File size:68'133 bytes
First seen:2025-07-07 10:43:16 UTC
Last seen:2025-07-08 07:15:38 UTC
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 1536:+h9qS21smCrToE9pCgPyvGYo5qP2jG4LZsDQYekwuPaxNjbjT:wcS6smCr8E96gNff
Threatray 1'821 similar samples on MalwareBazaar
TLSH T17C637D01BE0B6D1CBFD5216870DE48E65A7D23EB8A315ADE851BD7198F790009BEE1CC
Magika txt
Reporter lowmal3
Tags:bat xworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
26
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/12664/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686ba501900df8e7f8682c3c
Tags:
obfuscate shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitsadmin certutil cmd cmdkey cscript evasive explorer findstr finger fingerprint forfiles hh ie4uinit lolbin macros-on-open masquerade msdt mshta msiexec msxsl netsh obfuscated obfuscated powershell regedit regsvr32 rundll32 schtasks timeout wmic wscript
Link:
https://www.filescan.io/uploads/686ba5047a5d64a806a855b6/reports/fe8c251d-2b38-4582-9db6-7571e7a80060/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/fd507e33cd59e92d5ab4abaeb54a2b2f60194c7075441d7f1d3c92c774456a8e
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1729967
Signature
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Uses dynamic DNS services
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1729967 Sample: awb_bl_july_shipping_Inv_07... Startdate: 07/07/2025 Architecture: WINDOWS Score: 100 43 businesstradings.duckdns.org 2->43 51 Suricata IDS alerts for network traffic 2->51 53 Yara detected Powershell decode and execute 2->53 55 Sigma detected: Powershell Decrypt And Execute Base64 Data 2->55 59 5 other signatures 2->59 10 cmd.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 57 Uses dynamic DNS services 43->57 process4 dnsIp5 65 Suspicious command line found 10->65 16 cmd.exe 1 10->16         started        19 conhost.exe 10->19         started        47 127.0.0.1 unknown unknown 13->47 signatures6 process7 signatures8 49 Suspicious command line found 16->49 21 powershell.exe 39 16->21         started        26 conhost.exe 16->26         started        28 cmd.exe 1 16->28         started        process9 dnsIp10 45 businesstradings.duckdns.org 185.167.61.11, 3033, 49696 INETLTDTR Turkey 21->45 37 \Device\ConDrv, ASCII 21->37 dropped 39 C:\Users\user\AppData\...\1g33owxb.cmdline, Unicode 21->39 dropped 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->61 63 Suspicious powershell command line found 21->63 30 csc.exe 3 21->30         started        33 powershell.exe 26 21->33         started        file11 signatures12 process13 file14 41 C:\Users\user\AppData\Local\...\1g33owxb.dll, PE32 30->41 dropped 35 cvtres.exe 1 30->35         started        process15
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/fd507e33cd59e92d5ab4abaeb54a2b2f60194c7075441d7f1d3c92c774456a8e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd507e33cd59e92d5ab4abaeb54a2b2f60194c7075441d7f1d3c92c774456a8e/
Threat name:
Script-BAT.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-07-07 09:08:44 UTC
File Type:
Text
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7vih4m6nlhus2wvuvoxlksrlf5qbstdqovcb27y5hsjmo5cfnkha._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
3b39da6b761aebfac6324138212fd5a6eeb89a50ef1e7b8f8a813c07ac920062
XWorm
4c3c7c82fef77195b527cac193188f01065d38da118efdd8d51d8fb53f5af87e
XWorm
792754b8f83fc54cb4f36b0aef98b787d13c76b12a83e765f380d6d8f421abcb
XWorm
839ac710d88eef9e5eaaa68183cd2f5fec297b7094263582d3e5441cf396db50
XWorm
a88faac5c77bb82c70e4aea71d3dffc333540cc05bdb18c5d21b1f9c5b258bc0
XWorm
a90c46b549a798b086e2ef3ee17728c7456cdf3730b25f50500143e3a56de1f8
XWorm
cabe7c8088610b32f234f920fdfc9c0ba3c64301e1cb3bd443f400b9998ba50f
XWorm
e9711aa0601544265b4f9c24442069c4edcd331af55798ca2e4a4d25532ddfd8
XWorm
ec86bb0fad6916b5f2ec59b29bbda6212d6feefb2e56f84fa95bbb3b8e13de01
XWorm
error
XWorm
+ 1'811 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm defense_evasion discovery execution rat trojan
Link:
https://tria.ge/reports/250707-msdfwahr4v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Network Configuration Discovery: Internet Connection Discovery
Indicator Removal: File Deletion
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Xworm
Xworm family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd507e33cd59e92d5ab4abaeb54a2b2f60194c7075441d7f1d3c92c774456a8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Batch (bat) bat fd507e33cd59e92d5ab4abaeb54a2b2f60194c7075441d7f1d3c92c774456a8e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12664/

Comments