Extracted

• • Target

    XBASS.exe

  • Size

    1.5MB

  • MD5

    638e5f44f917de3b3b3473aafbde50b1

  • SHA1

    8f48986374bcac52c2df6268bc0456864bbca12f

  • SHA256

    7a0edc7a5d067e8df9bf44c4ef85d0e0bd9b4ae09a4569737480d1ca861f05e1

  • SHA512

    62f916f131c65096c91c1674ed85e2903648f2c1772e785cc34d1bb9c40bb0126f0e3e1a3c0eb5e670d567a57db27af71fcb45658d38ee9c28792ce89256c637

  • SSDEEP

    12288:jm6xXKTEXCwEapqeQYl+3e+C6HLn0E7C6P/:ZK4xqepl+3Vb00C6P/

  Score

  10^/10

  xwormdiscoveryevasionexecutionrattrojan

  • Detect Xworm Payload

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification

    evasiontrojan

  • Checks whether UAC is enabled

    evasiontrojan

  • Suspicious use of SetThreadContext

  behavioral1behavioral2