Extracted

• • Target

    a85daa145e9e0bb8872bf92f1f4046a7a03870390e966314dfb4802bbb63382f.exe

  • Size

    75KB

  • MD5

    2fbece266a952df408602eb9cbedad0f

  • SHA1

    f307c496bb6fd8531584c19474ef6de1775ba744

  • SHA256

    a85daa145e9e0bb8872bf92f1f4046a7a03870390e966314dfb4802bbb63382f

  • SHA512

    15edd9bd37ce9179701758eb1a49dbffd4a101b3b33aa21e757c4a1117772170c0ff3e8355a798f605c763affd2be664bd71c75eb71265c320dcbe3339850c16

  • SSDEEP

    1536:WQvlvzEfcn5PF6vWs6aq69eq9bC29104DTcp7i600xPCOMQln84lO:WovIfk6OYRbCaSacl4OMulO

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2