Extracted

• • Target

    c.bat

  • Size

    228KB

  • MD5

    a3b38f1fb45a0d979bb36e9b75d2f87d

  • SHA1

    39bbb23feb2ca23f3c4086b60e87a9bdc8dd061a

  • SHA256

    d6700b00f076df721138d454547343a20467a731a76f0f8602f676cb9485bec5

  • SHA512

    4ec8b722e1f12e3c29cde328bf4d4e399410c44097379944b0e5f2aca48ed59973cdfe53664da1de5201fbf630660550fb44f7832ab3e19f93717d366cdd4e99

  • SSDEEP

    3072:Q4nDlXCJFOY9/dyPKgMGfGiPovhfpla1R1EYkOipIUqntjj9YjMybguqJb5HIPv9:1Wb9IPjuplaP1Vgr0nSYJmBN5

  Score

  10^/10

  xwormcredential_accessdiscoverypersistenceratspywarestealertrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Blocklisted process makes network request

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2