Overview

overview

10

Static

static

1

AntiRat.bat

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    AntiRat.bat

  • Size

    287KB

  • Sample

    250125-pen2kaskhs

  • MD5

    ed4aa7fdb67238c14fa9d266916e6eb3

  • SHA1

    8df2185beef7c7a170bd53921effb4d9ff5d791a

  • SHA256

    9478888ccb2e5bc3d4186efff2f45058783d2ef5aa25e351efb2448610388176

  • SHA512

    97858e4ae2895213c3f140afe48ffd8e0682bdd28f64614896a1009476a2347138b780564fea969881182632c9e715d7af2c4ac1ac397c9d08ed69c7d044e5d7

  • SSDEEP

    6144:afbEDtzm7hg0cIuKH5qGxXl4Vk6YupoHOzNW2TkJaiyIpQP:azE6pLHVx1k7oHqWHyICP

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Targets

    • Target

      AntiRat.bat

    • Size

      287KB

    • MD5

      ed4aa7fdb67238c14fa9d266916e6eb3

    • SHA1

      8df2185beef7c7a170bd53921effb4d9ff5d791a

    • SHA256

      9478888ccb2e5bc3d4186efff2f45058783d2ef5aa25e351efb2448610388176

    • SHA512

      97858e4ae2895213c3f140afe48ffd8e0682bdd28f64614896a1009476a2347138b780564fea969881182632c9e715d7af2c4ac1ac397c9d08ed69c7d044e5d7

    • SSDEEP

      6144:afbEDtzm7hg0cIuKH5qGxXl4Vk6YupoHOzNW2TkJaiyIpQP:azE6pLHVx1k7oHqWHyICP

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks