Extracted

• • Target

    2024-11-02_41142f7b082b159c08fccab6be1378b1_avoslocker_hijackloader

  • Size

    5.3MB

  • MD5

    41142f7b082b159c08fccab6be1378b1

  • SHA1

    0be691768a797e4585535d7c8411097565da7305

  • SHA256

    11663edd452b775ef1547956aae32121b71d0fbd235f7a926ad0932fa4243e5c

  • SHA512

    1709ff4363ef253bc35eaac6196cd85c209052e5d73666556879e719e9ab779cb7c46e14cd6241dcebd98d6774ab9523f14753b3d7a36ad85f1f23f63c4f127b

  • SSDEEP

    49152:i/u5iFq3MEwoDEAy7AfOU/zXNUfEeXAxhF2rl/IuOryOvKODjj3POMjUfkptVxp/:5OU/jIEeQfoR/IuOFVjUu5

  Score

  10^/10

  xwormdiscoverypersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2