Extracted

• • Target

    RedwareTemp.bat

  • Size

    548KB

  • MD5

    73c36e7e75e989f8b1e5dd4e9a1b493d

  • SHA1

    af5bf582a6d1b424355f8af579b8f202fbe4b834

  • SHA256

    2b0fa86f46148d25d365085a021a9b836e34275955ca0446723553bbcf388ac0

  • SHA512

    5c95fcfb41ca505ca2a9d7d0f11d4e57831bfabd5e1c741c6bf26b0b2a89e36524cca53e6eff3ad7ccac14c0030ab0fc76581275ee8acfe0304be216a6e6ec44

  • SSDEEP

    12288:FTiR+PqY3LWerg7f9AqvSU84kI3Hu+MoovimheIBVXMTT:RhAfcidQ6mEy8P

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Executes dropped EXE

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1