Extracted

• • Target

    DiscordCloner1.exe

  • Size

    7.8MB

  • MD5

    2281c60616dafe2fa054b884a19326c2

  • SHA1

    131ac246d9a375dbf71af777c475e39fb428cd53

  • SHA256

    757086454e8acecdc9558e745160d6f662be0f43425e97da94097bbe990800c8

  • SHA512

    6f9e6995f140cb2b60e828bb46447f40abc79e20bd40581bca4192da4971dc06571a5986ccccfa4e06a3871571ad0a6cc22907fcdaad3f5dacf0b491cc17dc25

  • SSDEEP

    196608:JKWmlZ0RoP81IKwiUzdkJOdw3vdTD36qdsXnKZ5ywXz:Jsl6VSKwV3dw3v5Kv3KZF

  Score

  10^/10

  xwormdiscoverypersistencepyinstallerrattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2