Extracted

• • Target

    Xeno.exe

  • Size

    69KB

  • MD5

    4e8074b05433894b629f67b4770d5474

  • SHA1

    f71e57d6bda8a72a7760d358e63664136b8a7bb7

  • SHA256

    480c3389177a32a663b3c484507f00a646a6b4a10c3532527bdc0dcd78c7d259

  • SHA512

    de0726f1335c757925170f496181ee66b29231034c6ab205f54fc265370485bbf1eedfadaaba4b57fd78d6057860630ccd1bada035d71ae74b8f0a5349329e89

  • SSDEEP

    1536:2SuDiZ0QURBoIKoPyS2I+bqpO1Xd7UEx6M0O8RLZ68i:2SuDaURKkPJt+bwwURO85M8i

  Score

  10^/10

  xwormexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Adds Run key to start application

    persistence
  behavioral1