Extracted

• • Target

    downloader.exe

  • Size

    70.1MB

  • MD5

    d30d0e33a9ea2f4bbdad9eeb6d24d995

  • SHA1

    0a2fd43a5834fd742521a56d78c650fed9e6f62f

  • SHA256

    7eb2dfba9b11c74bde2304ae669e92acdd75df672df7f12aa7de609fcc6bb8b4

  • SHA512

    8ebb045789844ca8108b394f34f8c872b98ade89c11e36f0be0e1bbbc58a04fd82d0ea8639d451cf4d6641ce08c8738897416864da4d9a87124cc8ea21672170

  • SSDEEP

    393216:lWxQN89qQk4adiJCuE2fUCdod+OvqKkZHzXhJ/KTe8uiBUtkc0k3qnsGg4GUo3Nl:lWoI7zGV5ahWc3Im3

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence
  behavioral1behavioral2