Extracted

• • Target

    FPS_BY FILMGODX.exe

  • Size

    98KB

  • MD5

    20f5290def51514fefaed2b744ed961c

  • SHA1

    546f5c611c1d35c5104e2792c76934746f637987

  • SHA256

    3e6f0de70c94df15b3aecb8ce4370e26b62fa38a24bf3710d0d9f0a28b4da656

  • SHA512

    578c4cc3b0375587d13f4b6f28d063322aa4df1dc3a439bc2f22da57475d191b78f7cc6590483ba4462af5a70d7aa73fb6784ae527e46f8e64cb31b3274ef3e2

  • SSDEEP

    3072:gZtcSVYnM7ByozguHogUDqGB5xY7iBCYs9:gXFyaByoUuInqs0

  Score

  10^/10

  xwormdiscoveryevasionexecutionpersistenceransomwareratspywarestealertrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Modifies file permissions

    discovery

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Power Settings

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  behavioral1