Extracted

• • Target

    Bl4ckt0r Spoofer.exe

  • Size

    4.5MB

  • MD5

    3e3c214efbec069174605c064553a06f

  • SHA1

    b649ff5a76ce6271e7c0590a9896e0754b5e08ce

  • SHA256

    22c3413fc8c1f3d0893b3f14b231f934e92ac9008611a673e80a951af4cf6da4

  • SHA512

    b22d8f2630bbd2002f715ccd460e3b25c7ce972de97b7c611786ca575db10aa95072dc551b6b5dc0c24a61b919f2912d6e96240160b5b2c5900cedd55512a744

  • SSDEEP

    98304:HZK5TELYAim4gThP3Ja8MBgeq5oYyEzqNIqH17yZ0NrnjN8EHDzzs33nlbv6:HZK5gLYAiclrl5jTeDV7y4nR8iXsnl

  Score

  10^/10

  xwormdefense_evasiondiscoveryexecutionpersistenceratthemidatrojan

  • Detect Xworm Payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Sets service image path in registry

    persistence

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    defense_evasiontrojan

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Legitimate hosting services abused for malware hosting/C2

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1