Extracted

• • Target

    NEVERLOSE crck.rar

  • Size

    37KB

  • MD5

    b05234e128e5cc3ffe489fcb6a4e6431

  • SHA1

    c478ca3887e540a3594fe4233e961af4c060098d

  • SHA256

    095fe044681a2699b61d5d462065e1b3a9bedc5880d4b023146193a792a9a45c

  • SHA512

    421295f82e88bb3c6fa4c1aac18d12baf6eec3e87da7129ccc96f37e768a2407819c6bae8802c2b97c899a051712f349264b8806d3d9c48b23e9b9f96df67d87

  • SSDEEP

    768:H5Tiu9rII41E03XPLZZ6hdSiiphes7SeVVs4ACH5ewctC4RdiXe:Z26IbSC/LZZOIpPmeVHAA5ejCoge

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2