Extracted

• • Target

    VMware.bat

  • Size

    289KB

  • MD5

    a5e90c24154a4e465009e93fc19340e9

  • SHA1

    15acae0e1603984b410ded0bb1acaa6ae4403132

  • SHA256

    c8ceaf7b82f3e550e1b788ffb76b5330dffe3e4b61cbb7299a61bf6b37d59bf8

  • SHA512

    94e52a48536e969d347aec48b1e1f0865f1fea5469a04c7aa881447e44644117277a3978fd460707fc1cce6fe6c86f0ee9304530fa9ed2f7c0aa3be9bb5a062b

  • SSDEEP

    6144:Yb63I5v76lO+20BD8Cku8AXsrj5SVFMrRvRDVniIua7XZCXvOzlh:YcYiON0ouVsrjMVGR/uy823

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1