Extracted

• • Target

    LabyMod4.exe

  • Size

    4.0MB

  • MD5

    0bbe495d506dc3f4aa6ddfeab3b2621d

  • SHA1

    a3d1a753a89d65347f1f6693dfc15753612ccb64

  • SHA256

    cf5a0372c0667be70f46d879e0ed82af2423f7a08d80b65c6f8adb44a8586e9c

  • SHA512

    a66afe1bbbbcbf9e10c30989afeadd6ea1ce3b3c67e2e464ab95616b602e9851e1ebc33c6356dd0241099781558b069f135ffcb021e399df9064fd01638925b9

  • SSDEEP

    98304:8wz+aVyehU7iYSMF5cbP/5kJsPZ6NdZRM+9ylG5Mi:7+AbhU7iY9FQ5kSYX7MllGt

  Score

  10^/10

  xwormexecutionrattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2behavioral3behavioral4