Extracted

• • Target

    682996a7019be86068d43a44152d84f6aa3521737189a1cbb54a23dd40d940ab

  • Size

    259KB

  • MD5

    b3cc8df3c4d0ff7c3dc89558c0d154e6

  • SHA1

    7e145e19d9cf48227b1337c15840b0ce71ff1f6a

  • SHA256

    682996a7019be86068d43a44152d84f6aa3521737189a1cbb54a23dd40d940ab

  • SHA512

    4ee5f776d25c331784129258b10f0e327c69a300ee1726e51e4aa39a4be6f1ea57072a6f600605bd4fb5d553dd526828161366e679149b74ce8a65bcd83a63fa

  • SSDEEP

    3072:tYGJepqxsscTtaXVFm7TyS6cLlxFVJPykf3CTh2N3pqjjwy8:jzxsXZFTj6cJxFVAkqV2N3Uj

  Score

  10^/10

  xwormexecutionrattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  behavioral1behavioral2