Extracted

• • Target

    XClient.exe

  • Size

    78KB

  • MD5

    dcb1c6ea097c0b99326a533ef8dcb99c

  • SHA1

    0c32ff7d84de2e561fdff0920e4dffefae2a6701

  • SHA256

    d56871854edc765cabbec4c94213e48018f06ac3e05ad688aeda733299b8c9e8

  • SHA512

    92f6d308aca63a7974ade9a8ebbfcb994ddccbc7e3da016fb94f99d39feb7802e4ab5c3efa7b94212e4d29477470852ea21c4c5a6a920b166f21fb2ef4d6e8a4

  • SSDEEP

    1536:qUzKKr1fw6QryHIKyMLqp+WSpNUnFbBf8mDf86MsbwOAOpY97Dfs9ijlzGI:TKe7Q9RMLPvpUFbBUuFwO/q97DHjpGI

  Score

  10^/10

  xwormexecutionrattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2