Extracted

• • Target

    multitool.bat

  • Size

    298KB

  • MD5

    18c5a8b94eb5c19cdd965fc9d4686a02

  • SHA1

    ee67546afe31bcf09dc426955af03594cee62c0a

  • SHA256

    8f6e309171ab8b968764573f9a0252d70b793d36d6fccf1d7eb3fce7763cb74a

  • SHA512

    8b8e0bb6b8b7f9ff1ff75ead07f999b7bbba7fe787d2b731685cd539c76fef1dcf2461fc6be2be49660e352de051003266bb7f664d4d41bf8a2dff120543f1ec

  • SSDEEP

    6144:mxdIea9oQDm/ParmLX7WrxDShuILbormGyOVYKBOc97:mxQNDm3ar6XqrxQHsr/xHBT

  Score

  10^/10

  executionxwormdiscoverypersistencephishingrattrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • A potential corporate email address has been identified in the URL: currency-file@1

    phishing

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2