Extracted

• • Target

    1eeb804cdda18bacd4205a1c25ac6a835f0dac3e7d89ccae111c3e1d449b54a3

  • Size

    1.7MB

  • MD5

    b7114cc6af76ac5f01102fab00c0be48

  • SHA1

    28dd2985c48367bd11628acb1cc079c14fdb32be

  • SHA256

    1eeb804cdda18bacd4205a1c25ac6a835f0dac3e7d89ccae111c3e1d449b54a3

  • SHA512

    cd451759eb4f4db28ea41b3406d668c24a45a882f5c3dedbfed2b80fd9f25954b37e865db8aecc8c148c1a514035b6304ed755e772d776473bfc72528867d5d5

  • SSDEEP

    49152:mX/hnoJJDZFuiMOE2uHL6dQma5ktcaNOtoGiJA:SZoJVZUiMd7+FttcWOtojJ

  Score

  10^/10

  xwormdiscoveryevasionrattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2