Extracted

• • Target

    uihelper.exe

  • Size

    71KB

  • MD5

    dffb74f4ddf0aa77581c3115bccffe96

  • SHA1

    f80ccede44a4f6298ed9cbbbe5173ec177653984

  • SHA256

    fb1129f10e3378b7a24603728a3242db30b43ce7fb818803de66e26a8048518a

  • SHA512

    16fcec0f7c2fdcb8f81f6863ba327dffe4818e5e3a09f84008617ba5ab70d4112b80d82282bf0644b223cd2dbc0a7335a53c4794447c20c2664bb2681d7e9668

  • SSDEEP

    1536:aL7csa/kywL0cbUr5U68wZPiJqbqvHZARS3eOQ6h5mdOyXx8Nc:Q7HaMywAN5U6BPiAbqvakeMmdOGxmc

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2