Extracted

• • Target

    ok.bat

  • Size

    408KB

  • MD5

    b0f8f1efd13e7bd0cc66d64eb3d75a63

  • SHA1

    1800d9fad1506bbaedf09da136b6334660fa31ab

  • SHA256

    0aeb0fb66dd52c44d48137d6b5bbbef9bc57d01c3da4655665e541fdeda94158

  • SHA512

    ef1ab4604783c6a58f7adfe0155226e69cb8970f8eaea211432f95c461bdf0aeccc2de677f687e943400dab05bc798b261d8ac5f58442bcac382096757e7d69f

  • SSDEEP

    6144:bexdO5Cg9W3uNG0mS4jW5RBgYL9rJ4lwhCFPJt7Reg7lrjqV0KEmtlJ8xePlwGB2:iUCg9XNGxzy5RWnHv7N7B2EMbdwLjqeN

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1behavioral2