Extracted

• • Target

    a36885c797f9c9c2970c185c103953c6c1f86a5d49606bf675fdf01c2d32d9ff.exe

  • Size

    6.4MB

  • MD5

    fd9e0297a3481184eadd1da037253980

  • SHA1

    23fc94ab1e1df30b6b9d988461f8a9d85e1ae4ca

  • SHA256

    a36885c797f9c9c2970c185c103953c6c1f86a5d49606bf675fdf01c2d32d9ff

  • SHA512

    e44545b127a0ddadec79fbcf9633fb56782dc80614b899d6db744852038dcb1aed1d47cb017c55d47ce62980e366f4e288d9bf7b52669fe08638f886f3da1904

  • SSDEEP

    196608:AB1D4Z5XqQSmFQB2QGYCa5ZOBhe2wuF0:aUXImFI4YCakB05r

  Score

  10^/10

  xwormpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • .NET Reactor proctector

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2