Extracted

Extracted

• • Target

    XWorm.V7.2.zip

  • Size

    34.5MB

  • MD5

    9a678aadc9ed2e2bd69c4c3de72f9e69

  • SHA1

    742de1cae6423b50f59a9c757b016314f492f455

  • SHA256

    8a615f3ae908bbbfd33c6c019db5791372fd0bddae07681816ea43d12dd73bd9

  • SHA512

    8eb793302fa16fd155c465271288275e929cd4a63017b48925b57d73dfca889f7b36273aabbc3a08264a4eb6ea95899f61afe7a430c362d7cf22145787a70bd4

  • SSDEEP

    786432:2Aei7Z9K1koiZEj6mcaFf8G465XEDgjHOED+K6gWvPgbHGGg:eqSiFhuUJkhjHPOgbHG/

  Score

  10^/10

  asyncratxwormdefaultexecutionpersistencerattrojan

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Asyncrat family

    asyncrat

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Async RAT payload

    rat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  behavioral1behavioral2behavioral3