Extracted

• • Target

    rat remover.bat

  • Size

    8KB

  • MD5

    37fa5465a015515ca2d1aec1265e50e2

  • SHA1

    c70aab71cac4f51b51e1e9b796dac8d85109442f

  • SHA256

    a5f72f5b6a80a798b398d9e0af0d06647ebd7af9d00a38213ec079b59820cad3

  • SHA512

    95ac8955274885d368d8d338bd5bd3448bfb2191118258a2c806b550ac3d314f0a7ea2496d1c526ea3341d41ac0f34bdd8431b9e2051cbdc35199a05a3be0356

  • SSDEEP

    96:ci4bPeGVlBbGV5FYAUdaIQe/0uscQGZ/nWuPloLe9maMBqeTBKAR4iWPMY+aBUAS:DoW77Shdsusc1l6aVh/y

  Score

  10^/10

  xwormpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1behavioral2