Extracted

• • Target

    348b05201dbe7fd54d844f0e94906a45c899bb0a450c11a2d0e7a385517f0a4e.bat

  • Size

    94KB

  • MD5

    a5bd53f790ed63251d0f435b17ada13d

  • SHA1

    c0ada960a41596819df77f185dfe79b730ade6c8

  • SHA256

    348b05201dbe7fd54d844f0e94906a45c899bb0a450c11a2d0e7a385517f0a4e

  • SHA512

    fe034f585627253eb436fc7f0b0d831e70acf93351c09e97ddb21f569cd1fc158777738eb24910c66d2a65d560801bb4cfb0835281f711f21e4e8d45e06fcfa0

  • SSDEEP

    1536:y3UhPdcYkDCDYe694UQ3DvwDnqFDdbYdLRmUpDLHcfVWeIZ9U1mRDLOeBrT:y3K6Yb694VzvweEUUefVmZOwRDLOW

  Score

  10^/10

  executionxwormpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence
  behavioral1behavioral2