Extracted

• • Target

    76154878a09a8f464845a19cd299069d952e81ae4a5198c855960dcbfd15fe8c_JC.exe

  • Size

    1.0MB

  • MD5

    40f71e61f16bfac54bb65bfa5e4776f3

  • SHA1

    f7991d0dc570c3f7de97c20ec269ee361c0f290d

  • SHA256

    76154878a09a8f464845a19cd299069d952e81ae4a5198c855960dcbfd15fe8c

  • SHA512

    e17d7f8a70440506b30afa4639c69e8cd995a5df1008cfd700c61d6311a9ca8f6c9d953cff44b68c617e5ea51e25ecd22c693946b1dac74b87795e14cc14a2f1

  • SSDEEP

    24576:AXO6MavWMO6MavWa1IEnwMAVw9ZdbDXKiqCI0C:UO6MavWMO6MavWyn5AVkdePCvC

  Score

  10^/10

  xwormevasionrattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2