Extracted

• • Target

    noratnik.exe

  • Size

    208KB

  • MD5

    7923c75699529f65b63ba064c9f512f6

  • SHA1

    f61cece0e51c1119a30e0f05a99dd6e141853388

  • SHA256

    22f802dad03ce14bec556b441955def133bf22dd04e42e247390c418f1c7be4a

  • SHA512

    21a28a417f3d6c43f86cc4d2251eb8712685b6654b27475541f84ea9e8851fa3b3eb48449fa4df6a757753bbfe3d97970b831b1975b01c7104d33bbd70b8e21c

  • SSDEEP

    3072:BmAwnYqFn98ZOua8SKfbzxcwg7es6/Vsb8VKTup49oJMfF/H9N3Ky9NzLn3:BmxnYsn9nUhcX7elbKTuq9bfF/H9d9n

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  behavioral1behavioral2