Extracted

• • Target

    Geeks ImageGen.exe

  • Size

    68.0MB

  • MD5

    cb29bd3cfb4d250b5a08df713f6edf34

  • SHA1

    f588f2ae86adc8196478f96168737eb75b637631

  • SHA256

    e4804942a52aca3b6e338992f966e4c756028c9b323427bd3383f95286257133

  • SHA512

    dad1c969695af9736d64dec8159949b3032e8208b2566d28cfce57436b1ab72db05f77914986639de409eb675deb5599b6f84f65e560335ba81f6f22217fc1fc

  • SSDEEP

    1536:z7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfowiO:v7DhdC6kzWypvaQ0FxyNTBfo

  Score

  10^/10

  discoveryexecutionxwormpersistencerattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Powershell Invoke Web Request.

    execution

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence
  behavioral1behavioral2