Extracted

• • Target

    6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe

  • Size

    16KB

  • MD5

    acfdf588da4f3d02f8b4e6db8cc9e60d

  • SHA1

    71bc876820b36d478f65cb9f236499d8c98a7fdd

  • SHA256

    6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9

  • SHA512

    3698487d35e5d12d013c4f986375191e645038fa3199d7950c03370c085533aa6da2710ab2c9b7f200d5625c90b39bb5580fbf0dfced9cad6ebac86e001d83b8

  • SSDEEP

    384:eRc06pZg1jOAJO0lsJeho4ZbP5bvGINB9FlbP4Nk:qX6pZgAiO0Be49RlNB9XbQK

  Score

  10^/10

  discoveryxwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Command and Scripting Interpreter: PowerShell

    Start PowerShell.

    execution

  • Suspicious use of SetThreadContext

  behavioral1behavioral2