Extracted

Extracted

• • Target

    XWorm V3.0.exe

  • Size

    19.3MB

  • MD5

    d7e85bc99cb79b98d64a6d4b8b7d041b

  • SHA1

    137f70c449be88103e4f1abfa80658ccbd9ba3f9

  • SHA256

    8dd83abb25a341413e009b4b6b0b12582382d99bc2f3d2b0d07c95bf3b8c0c81

  • SHA512

    c35a74526edee423254a4335946a9d447c95a31a4acb9923ee667d074f9c4f84d0d5f6cf22bc6a23012ebe04ef4d6ad43bd2e55dc287d4dfe52a5d9b71f8d4f1

  • SSDEEP

    393216:JZgqzDlLO/uc+9bPugF7cp4rTKiSVbafhkCvBeLfhfzm:JqctO/k9bPugypcKtVGhkckfBy

  Score

  10^/10

  orcusxwormexecutionpersistencepyinstallerratspywarestealertrojanupxprivilege_escalation

  • Detect Xworm Payload

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus

  • Orcus main payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Orcurs Rat Executable

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • .NET Reactor proctector

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2