Extracted

• • Target

    bebra.exe

  • Size

    74KB

  • MD5

    669e9e7f8c7290ffda453a62f14ca030

  • SHA1

    4eabe1cb31a0c2ed609fcdef7a5d2ca0bfff328c

  • SHA256

    58b0a1a32bd96f09ac520b8a7433cc86f0ac5c3fa1df4741dd8b2bd12713f749

  • SHA512

    bbc310297435462479a6035e0522ce3da55bac7ca2b1fd77825a798b70f84edb4402405b25cfb33d0dad808570f6b1dab88f7699d0d4777a97465d8183075655

  • SSDEEP

    1536:BKru/Ft/VKQWRdx0zaYEeqbGxkwfTlk6QUGH+meODiDDO1:UrWF1MpAEeqbG6IywmeOWDi1

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1