Extracted

Extracted

• • Target

    file.exe

  • Size

    105KB

  • MD5

    edd1f792f4dcfaa2e3cc2cb30ab248e8

  • SHA1

    2510594e8f4ba919813be0362e9fd7f0620680da

  • SHA256

    7876f0415e0a2c190ea29756895ebff0c1251abf7aaf1061731b8346564ab571

  • SHA512

    036bb0b4afeebc2e24675dcbd1973b7a54c70d0a33655b86582a19bfd116a78ba09344aedce2c3718a4ecaf894cd5d496019a8247fd9b8646f0c0c4b5cb30bf5

  • SSDEEP

    384:AMjfVU+V4yg3d2xMGJn6BrfKNG99Sjvb99SjvWp:d7XCVMxylB9Sbh9Sb

  Score

  10^/10

  defense_evasionxwormevasionexecutionrattrojan

  • Detect Xworm Payload

  • UAC bypass

    evasiontrojan

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • Drops file in System32 directory

  behavioral1behavioral2