Extracted

• • Target

    250302-wzd6es1ly6_pw_infected.zip

  • Size

    110KB

  • MD5

    f8146c18b74b4ddc7eeceff7a3b72329

  • SHA1

    db0e6fa11d1b25ae16f51f8ddc085d6037b8445f

  • SHA256

    accffc151ff6311d08049f2f40b4254f47789927c1f463824879f81912013427

  • SHA512

    744289ee844a1882af551e20e1f69f940e9e82cca3616ef8f6b43c248f65fbf0fd02c9a319719bb93e5621dd5e8e716917cd95410ecea4b99ca047d2a22667ff

  • SSDEEP

    1536:W+LBaL05g/o3SkFyRCF/kM6JaLJF3A6ZqECrhS6RaVldErPRM1z9yr:R44T3SH4+8LJF3A6ZqECrMldQPORe

  Score

  10^/10

  xwormrattrojan

  • Detect Xworm Payload

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Drops file in System32 directory

  behavioral1