Extracted

• • Target

    NursultanLauncher.exe

  • Size

    14.6MB

  • MD5

    e0931ba21d8e656b82511a8686e0026f

  • SHA1

    432225926aa4f5841cfd035a51ff7157a5a8809a

  • SHA256

    9c5df26ea92875cc1fa22046f5b88a881b09d9dca85ac65a10e29ee1dc9b1bf5

  • SHA512

    6aa7fc36e38ba34ef039ba4df38f239e416070d76f300f4043015139da5ed827c92d32862b0c75d540c4194a2785c6ac524e554d1580f1a4e93aa4a61b6718c0

  • SSDEEP

    393216:7pRpu51k22qim6QTV6hTZLPHZ3a88WAgSgHD:7pR12j/R4b5iWAgHD

  Score

  10^/10

  xwormdefense_evasionexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Hide Artifacts: Hidden Files and Directories

    defense_evasion
  behavioral1