Extracted

• • Target

    update.exe

  • Size

    221KB

  • MD5

    c2bc3732467892cdf222c9161773405a

  • SHA1

    43770742e6a28930a1cc4e415e7e03df870c9e92

  • SHA256

    b6e701be7e9daca3ebad9a1586d75dfbd6ec66fd9b36b15459e9f16b73cfc3ca

  • SHA512

    6c9629df3de5ee640898d7abbb4f750df3e07c9e2d841a5597072ec2bd6662de552b75dc783761c0376bf44791a2d684a01a7f387d675674d87dc83fa6762ba1

  • SSDEEP

    3072:Gj+C7lQ52Mrb/xqHuXxcKXnlzlbm9EHBAnpK37nXZ8j0uIQ7bnPs074tyJhXgK0J:o77MrQO58VxnPJqta

  Score

  10^/10

  xwormexecutionrattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  behavioral1behavioral2