Extracted

• • Target

    Fixer.bat

  • Size

    390KB

  • MD5

    a0814afd89ab12f8cceafb87e245747c

  • SHA1

    c4c7f164b46634e052e1c0cd4cbe8b4a8c93f5d8

  • SHA256

    76a4b894612a0cbd8b0e609a0a83e6da487435f07595f1c76512f6d9b32c7ece

  • SHA512

    2dec24d7212c97dbda471f69abb55581c0f03074d98119f6f59e84ce4a2472eab6b613d09b9bfb58ffa997b606453013cdf9bd738e6067a9a8aec6485a3d340a

  • SSDEEP

    6144:vn/MqOo6Y4c9yAvZXgCiEVISD9Fa4cGWrI/86nA/PReF9edyDLcOBb5+tV:vn/6kAAvFlVISD9FWGW8xiojbQtV

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  behavioral1behavioral2