Extracted

• • Target

    781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434_JC.exe

  • Size

    606KB

  • MD5

    c7b28f5f9fb6780fc0976a8383696818

  • SHA1

    af6654f093fe2af97b024dfe8067e0aa8dc93816

  • SHA256

    781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434

  • SHA512

    955e32a0171de8c527906559af067a4b5c25fc6a91ffcb9b1c57f934c82b7ab31885c6b82cf1610c8497b8350523a2316c12fcb8e6a68eb984a6684d4a15a841

  • SSDEEP

    12288:NcrNS33L10QdrXjNfmDnDnCXgUcYfOfAFczhTjHsHLzuhV2Rj+TF:wNA3R5drXwDDuhcY7c9TSuhE4F

  Score

  10^/10

  xwormrattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2