Extracted

• • Target

    SamsungCommisionExternal.exe

  • Size

    63KB

  • MD5

    6f30a565049364df3068b5bc88fd36d6

  • SHA1

    2ca485eb96156bfc561acd69649cf3339da6c610

  • SHA256

    e65d7f5beb1f383e07917e867fb3b18a59a597319d152ad148b37a8924b8780d

  • SHA512

    c01edc2fe4e5ad26b9511cc0bc114221878cf961b436a091a79611ce27da69ce7cf58afdcc71d295ad25f08701b1eb16c0c298fd22fbcb69004f760ea2b89ffe

  • SSDEEP

    1536:9VbfG3pj8mIfpubPOggHEyj26+6POhjV5yD/9:/fGZrIf0bPDgkyjnPOhp5U9

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1