Extracted

• • Target

    Datasheet.scr

  • Size

    476KB

  • MD5

    eb23d50af27df1288faf92898cccc3d3

  • SHA1

    f82e28701d256af04e7728c19dd5329dd23760f2

  • SHA256

    0e2ab563262e27e9095c4c1e055d25974c7f8d767de7d97d8943306268a54d33

  • SHA512

    70fa97b3620b569d4f304b97a3f22ea720b4dcc8007301ee0a54b3d9f901670962a08becd45b43838506d88a6b5eb4a5e4a6e43b26eb5b30202ac5f2c403c457

  • SSDEEP

    12288:o8PZsrAXeXzKinig6dpXnWq4U5usx+Xti:o80zKhHV4Ux

  Score

  10^/10

  xwormagilenetdiscoverypersistencerattrojancollectionspywarestealer

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2