Extracted

• • Target

    cmd.exe

  • Size

    85KB

  • MD5

    47c299143a2b328b79b0abbd0d2b4726

  • SHA1

    71b96ac9aee1d841b0c07ebe53b1ebf899a1e056

  • SHA256

    b0561ac87788cf00035fec3ef59da184dc8743cf40c6d812b9704f9c92832871

  • SHA512

    19520cdec2b984cd6f875888a7443edb2c197a2db650c888623f1adbcdd136ff251a119f8a8f5632441f6860f99464c208eeef355c2fb49c18b861bcc2d5351e

  • SSDEEP

    1536:y/jXVBprd91LjQRtosvDJBZ3T7qbKoW++kCKcDgYBtR69ptIvO3kbhKdWGh:yLp9Lk7osvh3ib7W+k4YD0aO3eJGh

  Score

  10^/10

  xwormexecutionrattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2