Extracted

• • Target

    TZx.exe

  • Size

    7.4MB

  • MD5

    172ac8ac9227cd144ffdf28657905440

  • SHA1

    4dd0b266e75c97fbba84f3a42e649b013ecc63e8

  • SHA256

    92f71cbbbfe80ed232a393eb4092f11cc98e074ec0fc5066ff3643c477b1d327

  • SHA512

    dda6f5aa6ad1df5fee7a28439b6c0b78f9a8a8ad52040f9b49c1923e2fe869a918ce536daae93767e757726f076b501d26dbb366ab644a4476832c312d3b5481

  • SSDEEP

    196608:nD0cD1iPeLjv+bhqNVoBKUh8mz4Iv9PPv1DVWhg:Yi0qL+9qz8/b4IRv3Whg

  Score

  10^/10

  xwormcollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationratspywarestealertrojanupx

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Clipboard Data

    Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    collection

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • Enumerates processes with tasklist

    discovery

  • Hide Artifacts: Hidden Files and Directories

    defense_evasion

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1