Extracted

• • Target

    svchost.bat

  • Size

    287KB

  • MD5

    9be1452fccb6a9ca2b3e28b89d0c879e

  • SHA1

    8fe95b338be85b1ceac233a51abf3c59890741a7

  • SHA256

    fa57646f828af97268c76a06db56ef3c7dbc6c87d8b3a49579783b346c1ef6b6

  • SHA512

    f2376350ff5e8b5c405c3e48370a22d140249c77a3c5b69f88e55c87f5f643f501a95f1dcf3e361619562ca4fdefa403caed95cb26bb6250c4a62a270803474f

  • SSDEEP

    6144:eIAZ2ZdcY5dv7vuw8UD2CmmrVKsQ7p/0FD+Q7b7QatJqYS:eIAZWcGv7N8UDa+VK790FqQTQc3S

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1