Extracted

• • Target

    Fulloption By. Dex.exe

  • Size

    4.0MB

  • MD5

    5b34c8c913bffd982ce703edcb56fae3

  • SHA1

    3b58515c2839fef05968a0e1ecec7d4512807648

  • SHA256

    4ea0f4177212cf9914dc618b5be8ba2fb321bce0842d16cf5f36ee61836488fe

  • SHA512

    0c1566a42026d7cca066264b2c6f317b5151c1908000a8126cb0934c9f2985f77ec2d4d21de6c94c4138c03b8a90ac8aff3c70ea7e4d4e23f54f9cda293b0848

  • SSDEEP

    98304:SpnuyBv8VH8hzMDJf9+smoYrMvdwTj2ps7:UnuEv0Ib5ydwTSW7

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1