Extracted

Extracted

• • Target

    win12.cmd

  • Size

    3KB

  • MD5

    c017186534dbc3d9a29f34d8925a4a96

  • SHA1

    6bebafd5a50ddc96f9ede400c842b9c09ee8b38f

  • SHA256

    d9d9750e2dca4abfb7eb23bb48dd0484b4a6e44ef970133fce40769f4308aa3f

  • SHA512

    8b40346ba61af805a1ce91e68d9cba8e9451e629bfe84ca6ae3e4b6eaab28625e39bac73338e78ad98cfc56abd7f6b6b25467e0327970b6351e494c6524e48d6

  Score

  10^/10

  evasionexecutionpersistenceprivilege_escalationxwormcollectioncredential_accessdefense_evasiondiscoveryphishingratspywarestealertrojanupx

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Modifies Windows Firewall

    evasion

  • A potential corporate email address has been identified in the URL: FluxJacker@mrfluxdevNewCLient3E7ABBA4F1555BE44044UserNameAdminOSFullNameMicrosoftWindows11ProUSBFalseCPUIntelCoreProcessorBroadwellGPUMicrosoftBasicDisplayAdapterRAMErrorGroupFJv1snew

    phishing

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Clipboard Data

    Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    collection

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • Enumerates processes with tasklist

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2