Extracted

• • Target

    BloxstrapModded-v.2.45.bat

  • Size

    4.7MB

  • MD5

    49ca64ef9a7428cfec68f16856c91d8b

  • SHA1

    2eefc6469c925781454d393b80d632bee74f7885

  • SHA256

    85e525c496dbe7336161671d9460b5feffc9051b8eab2bd81022d8a8144e57a3

  • SHA512

    cfa760ee0d5d182a5efae98ae5197f74eebf97b3d785e31305b1907e44a759c2bb62a8b6e1b37961af49f11071563de908a87a2af3fa37649bc836b5f0826337

  • SSDEEP

    49152:kVH/tb7905/QVfZEx2zaIhWdEzFrpw4NL+oZsoco/XV5PHQgD:kN

  Score

  10^/10

  executionxwormpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1behavioral2