Extracted

• • Target

    XBinderOutput.exe

  • Size

    334KB

  • MD5

    bd5a99d1a915d183796d52364729242f

  • SHA1

    d0b0913ac86154d9eb6ab8f22b1b6d0e3682aa51

  • SHA256

    5dc9341df08796ab376579f34442247fa6942463974bad85e6d2709a114fe037

  • SHA512

    1b076341992c63268b4ba400fb0ca9b65b49af09c5fb01553cee1e80da2dc18cd53f920bfa9987bd13b9c2f3b42cad54fc573f3a2ca7a1b9d50b98c32671fb91

  • SSDEEP

    6144:v98Spzgs21x/GJqkntASwQvJzp8kRJoKXqwUHrsTB2zs+FAWKiXG/P16fCt3OY:GKgs2X/gDiVBQTB2zI6TO3O

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2