Extracted

• • Target

    Joiner.exe

  • Size

    478KB

  • MD5

    147895e49ae627339a367f26fc90cf9e

  • SHA1

    6523a6d1f52e9e0e373f9ab0d8d6554c0b79058e

  • SHA256

    d0b67de1a1dcdee32ec5bf0eff54a8d0f79962860c7887b4a16c6091b166c113

  • SHA512

    64060022f7257bd27645d9b6a49572b81d61fbbec50fa60aad22af18c909f24ed3e585ae1cff181ed96971540c24f1c92c3c5d266413e0ca78991cfa72649221

  • SSDEEP

    12288:yyveQB/fTHIGaPkKEYzURNAwbAgOT+t1rHH:yuDXTIGaPhEYzUzA0brn

  Score

  10^/10

  xwormbootkitexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  behavioral1