Extracted

• • Target

    53ffbe2e9c08961a21157be3a79fe0a33d19ec4bdae8cf2dc62c27f1fa4097df.exe

  • Size

    255KB

  • MD5

    e03c1771945c884883a82704a93ca453

  • SHA1

    78609d9940ec6e59db7961ec2ac859c68ce81186

  • SHA256

    53ffbe2e9c08961a21157be3a79fe0a33d19ec4bdae8cf2dc62c27f1fa4097df

  • SHA512

    ed063720d08c2cd8b674101b5d457795ec570fee19c1e0747fd708428f7b8ae9736cfc02ace2fdc0040cc15019163fa86fba22147c68d77fc22be95d3343ab6d

  • SSDEEP

    3072:sH++bXekOTbSiLvAzII9x66AOag74srxxVfPWKvQIFY623:snbGCqONxTGqQI+62

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence
  behavioral1behavioral2