Extracted

• • Target

    XClien43t.exe

  • Size

    41KB

  • MD5

    29d98f1acccbe2b8ce586b508c46d42d

  • SHA1

    6ca5528190b79d149d9b56b7637c995f6c645a7c

  • SHA256

    d60b4bcbd19cd5836666d2c58a26bf21d1eae2d3400d3fdc611e4094841c0eee

  • SHA512

    230df3e5f5c9194cd4aacc2da0b81f30ddfa9487007b0a7a829c198c7cc9cfed6f97711d3639df25715dfb521dcf4f9bfcc0509a402017ea50265f7f13b9be0d

  • SSDEEP

    768:7YjChiGFs384cu8CDkUX9cV2gwbXEgaaDTesF5Pa9WlOMYOwhI3suu:SCNFs384cu889cVJyXWaZF49WwMYOw2I

  Score

  10^/10

  xwormpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1