Extracted

• • Target

    99zRat-cleaned.exe

  • Size

    189KB

  • MD5

    742573ed7b27bbeed5ab6126317581c1

  • SHA1

    09f8c8afcf08bc91a0cfefa7602338d1164e6df8

  • SHA256

    b13fcfd29bfe8e7a729b9261e7df409997069b83cf2ebac629ceb099759e1a29

  • SHA512

    f036b60080ccc9a503c6adb05f8ab007a52e1c16cdda55c4ae9c725d38fc007c3885ee87c165be57e08ea7384935e1af033a3ff13af347ce7eeec0ae1373be06

  • SSDEEP

    3072:Uh9z8AlC630+t5+Fiowk18cyf8sX+Qc/cJ6HM2v0hHsxs:UhpnCOsX83f8Sbc/lT

  Score

  10^/10

  xwormexecutionrattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  behavioral1behavioral2