Extracted

• • Target

    ExcellentDll.exe

  • Size

    345KB

  • MD5

    69f478046e3ef37a710a452f796c9ef9

  • SHA1

    f577229b18661c30938b8dd158019370be32c1d1

  • SHA256

    29774f3e9e2de12c7441f765f340cd661c38de279922961fc69488e2feffe67c

  • SHA512

    ee8994cd121e7437d9affc77988852a71895d92aea268517adeb8bf62fc7b532ea507a03ddc05f9a449e5729201d908690f3a9ac5350832d5c7c01328257eea8

  • SSDEEP

    6144:Q0mluu8NPetOlmfMYdTQJzLtxfg6vgR6TNX5vcQY2MRcViNpqbCtULop+mG:Cou80CKQBxfPvgR6TVcLsiNpqmwok5

  Score

  10^/10

  xwormdiscoveryexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence
  behavioral1behavioral2