VMRay Pricing
Try VMRay

Heavily obfuscated batch file loads XWorm hosted on GitHub

20 January 2025

VMRay Labs found a multi-stage obfuscated batch script with low detections on VirusTotal which downloads and executes XWorm from GitHub.

 

 

The sample uses a UTF-16 Byte Order Marker and an open source Batch obfuscator to hinder manual analysis.

 

The sample had 7/61 detections on VirusTotal as of January 17th, 2025.

7 / 61 detections on VirusTotal

In a nutshell:

  • Low detection rate on VirusTotal (7/61)

 

  • Abuses UTF-16 Byte Order Marker to confuse text editors (0xFFFE)

 

 

  • Uses cacls.exe to verify whether the process is running with admin privileges

 

  • Drops a VBS script to prompt a UAC dialog to elevate privileges

 

  • Adjusts Windows Defender exclusion paths via PowerShell

 

  • Downloads an instance of XWorm from a GitHub repository into a hidden file and executes it

 

  • Batch → VBS → Batch → GitHub → XWorm

Dive deeper into the report

Sample SHA256:

96cc09ef13054fe37778f15fa87202e727832895f9712f68a18618fcb5c24ef1

Threat identifiers

See why we think this is malicious in plain language.

Process map

See the whole path of the sample’s execution

MITRE ATT&CK Matrix

Map the malicious activities on the MITRE ATT&CK Framework

Network connections

Explore detailed information on the IP addresses, URLs and DNS, including function logs and PCAP Streams

Pre-filtered IOCs

Download the IOCs and artifacts to have a clear picture of the threat.

Files

Download the files that the malware downloads, drops or modifies.

Explore how you can use these insights

Incident
Response

Threat
Hunting

Threat Intelligence
Generation