Extracted

Extracted

• • Target

    RemoveMalware.bat

  • Size

    391KB

  • MD5

    d8a7740fc4dfa66c80eedb47bb8b15c2

  • SHA1

    4a6b941faf000a318e946d59f7ed53b595981200

  • SHA256

    2d16ba84b31661bb02d59a4cb963a8600dfcec2d10e256cae46911a4c719bc25

  • SHA512

    6253821c13e4e835b701cd493465d914667434905c13fdd685fd6ce554f37c6a4b0d6e58a8ed3da9b25a68facc55a5516d0318e5a7c38c494a7cfb6c53717181

  • SSDEEP

    6144:JbFM40+hSvrpCkScwdwo6mliTcf4UeZbOL0mWPxuxUYsSQJ+beiU:d7hSdvJwdwMiTc43OLtWo9YIw

  Score

  10^/10

  mercurialgrabberxwormevasionexecutionpersistenceratstealertrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory

  behavioral1