Extracted

• • Target

    XClient.exe

  • Size

    63KB

  • MD5

    b4e148797a99791b7d0aeead19b680ea

  • SHA1

    03066b079fd8915c7876c8a64f51c9c80fe4bbc4

  • SHA256

    47976794f020cd6a26baeabaec503610fdf89f6cc9a2f843ee2aa078db6e63a9

  • SHA512

    d0b270d8adbaeb715ed747aa1c1a8b89deb892b45fd147c95752a91ef9c6bda175662d011fc6d77e6c611d55e94a36ccef16aca255aafa8aab80897c26e3b1ec

  • SSDEEP

    1536:cxl6n1aLNbE3gRBd9XhS2kL++bTIDx3ZLL6WnFO5tgo:cr84Rg3edfS2kL++bTyLJFO5yo

  Score

  10^/10

  xwormdiscoveryexecutionpersistenceransomwarerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1