Extracted

• • Target

    f720fd37c22027b85d5f695155e930a19c3245258af753c7e0c72e23da27458fN.exe

  • Size

    71KB

  • MD5

    98f01c194300ce57cc35ef4fe144a310

  • SHA1

    a0816cd4c4c76fd97ae779d711a591aff1c1d39e

  • SHA256

    f720fd37c22027b85d5f695155e930a19c3245258af753c7e0c72e23da27458f

  • SHA512

    1342de29323747154cda8227c4e4c26ab10a5ff914112804c4d5cb6722b7441c8bbc66c8d93518181caaabf96e2e394bcedaa955c5e52fd486ace643e08eb482

  • SSDEEP

    1536:HAhhDPSwxMPL9t6MU+b5LxuE66GMj+9OJvAWPd:tByD+b5LviMjkOh/d

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence
  behavioral1behavioral2