Extracted

• • Target

    xworm/Xworm V5.6 (2).exe

  • Size

    8.7MB

  • MD5

    9530dd473ed704de0b1fb9005d0b1596

  • SHA1

    d745fcb740939681c166a9a06744ecb118d86aa4

  • SHA256

    7afa79c97a3585ef9280e4a5157f45dcc5f8908322f7c7fce33825114a9c5dff

  • SHA512

    4a2a6101372a46dc01f57b6304f4a0e28b606509f2dad05ea211707755d3648407b1126e91bf49c2bd4a3b27cf98117fcef23fbe4039ae5ebec73f6bb07dfcef

  • SSDEEP

    196608:11gDSqGHoQtAq9xXsfE5mxqEfduHDFEyBWqpwWEEQoyHo54:11eSqGVXsfe0qEfdYnpwWEloyk

  Score

  10^/10

  xwormexecutionrattrojanpersistence

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2behavioral3

• • Target

    xworm/Xworm V5.6.exe

  • Size

    14.9MB

  • MD5

    714f51eb76e1d01b1b646962224910a8

  • SHA1

    affe3aba05cdb0ab78fea81be9bae2ffb7dc7a8f

  • SHA256

    6be79ff4d5c370639bfb4c3dbd4f2bc3332a009ccfbda08ed0a88524e3ee5b31

  • SHA512

    a9faa8043b2d9498e78d921e05e3e299ea121af1a95682a70fb76b67df78c8101a6f55fbc1939a2858f282346e35bef9a2ae106bb4a5ae32e84e26107f33c905

  • SSDEEP

    196608:1o/BAe1d4ihvy85JhhYc3BSL1kehn4inje:1eyIhhkRka4i

  Score

  1^/10
  behavioral4behavioral5behavioral6