Extracted

• • Target

    XcHvYYrNa.exe

  • Size

    35.7MB

  • MD5

    17a5b2e38e52ba783232e01686477307

  • SHA1

    19905670b94997dfbcbccdd3437e3595119d9538

  • SHA256

    f58b4cb63d8d082dd1c6061c4f87f292d194fb7a19c55f6df5ee781431dce31a

  • SHA512

    e7417c40188807f7b5a2facb6bf10813ec7450a82be9b0d47795e519083e484eb5cf045fa1e7b169695b1f56aefd078294969351d83a38e70a099395e93a6951

  • SSDEEP

    786432:/QUiPmbQYUS3jKoNpSaDlLlrfrvacgl8x8MQkEweK:/vs1UuDapLlrmcgCxzP

  Score

  10^/10

  xwormevasionexecutionpersistenceratthemidatrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2