Overview

overview

10

Static

static

1

fixer.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fixer.bat

  • Size

    88KB

  • Sample

    240601-yn3qradd2x

  • MD5

    561c4ecf6ab3848d4d45ee983b5e6bd3

  • SHA1

    11e581a4bd84cad824f1dfce89962ab593b4193a

  • SHA256

    2b7272581314f0f4b3cd41c32cc9ebd5950eb1acf67601bd6bdf1365aacc8eab

  • SHA512

    1f6f460a4df29eb2a2b1f8bb932e549e51c4b257c3ce6808038d877a50fa3b8bccaea38aa900d00e9207a764f7aebfc0f9a7b5a07bc53a9902544e0d280ad716

  • SSDEEP

    1536:5BhqxndKixJiWoFnHgyUkepspzSIWoDMbQ3JAX/EnuztSePjy08+:57qDchgkhrZZAXMnW8eby0H

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

movie-buddy.gl.at.ply.gg:40572

Attributes
  • Install_directory

    %Public%

  • install_file

    Runtime Broker.exe

Targets

    • Target

      fixer.bat

    • Size

      88KB

    • MD5

      561c4ecf6ab3848d4d45ee983b5e6bd3

    • SHA1

      11e581a4bd84cad824f1dfce89962ab593b4193a

    • SHA256

      2b7272581314f0f4b3cd41c32cc9ebd5950eb1acf67601bd6bdf1365aacc8eab

    • SHA512

      1f6f460a4df29eb2a2b1f8bb932e549e51c4b257c3ce6808038d877a50fa3b8bccaea38aa900d00e9207a764f7aebfc0f9a7b5a07bc53a9902544e0d280ad716

    • SSDEEP

      1536:5BhqxndKixJiWoFnHgyUkepspzSIWoDMbQ3JAX/EnuztSePjy08+:57qDchgkhrZZAXMnW8eby0H

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks