Extracted

• • Target

    XClient.exe

  • Size

    80KB

  • MD5

    bfa950b37b6a4f8de71af861e677a8b4

  • SHA1

    2ee40bfbf2964d92c82256e5924169295dfdd225

  • SHA256

    07f94f8f6061ba95899914496edc5854aa810de56797d9004875276d60e21ade

  • SHA512

    235b514fac01b24edaef3aeb4209676789b6ba9264a8798cb7ae48c26d2455cdd8f254e92bbba688535acb69fd77b3c0a0a549cf97ece84c235cc74f72234e1a

  • SSDEEP

    1536:EI5NuEGJkEtydWqZQSp1eS+b59gxzhfxdl/5m6qeo//3Oy/4IK4Dax5:Eg1GhtktQGAS+b59cJ4eA/OlINDab

  Score

  10^/10

  xwormexecutionpersistencerattrojanevasion

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence
  behavioral1behavioral2behavioral3behavioral4behavioral5behavioral6