Extracted

• • Target

    aafd7501cdfbe8d856a726dbbba4c8d0fe89b14d7b8577bf7d5e78bc1e63e89dN.exe

  • Size

    74KB

  • MD5

    5ddbe0d3aa9a8bb497ae73b9446a5400

  • SHA1

    07db792a58207e2667dfa4aff59552721fa13c4f

  • SHA256

    aafd7501cdfbe8d856a726dbbba4c8d0fe89b14d7b8577bf7d5e78bc1e63e89d

  • SHA512

    ebf07c7828357692754146c8335fbd439a5a66afdad1a3848dc0ac31eda04509894f01b875151e67a3b8f9b5fbc96d3e2e9bbefc41a20c45f2fca3c0572f9f34

  • SSDEEP

    1536:YaoOInO4f0bgcPLQ+2HUx1F6znOOi0gYvl3FH:toJnDcbXzr2HfOOi0gYNFH

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2