Extracted

• • Target

    WindowsDefender.exe

  • Size

    95KB

  • MD5

    65f993dfe7a91fc72368b6c2e3d19c0c

  • SHA1

    9e64ebc0bbb50dd7527d4526eafa61488327df1d

  • SHA256

    af2a912e694659f3072ea311ba087669a6b658f46354e899a6ba210fe2400bf0

  • SHA512

    c0c8416f763e41f81450fd81cb92d0eb93742c852d47c24fe87bd013a974f2258c7d8c465fa089bfa8e1be559595edfe01e99482f150b053f6b9ac34ba3516e3

  • SSDEEP

    768:5XYTWoch1vWG8eX8g33IF5P+9Ojr6BOMhJ3sUDDHW:5oWTvvAKT3YFo9Ir6BOMD/DDHW

  Score

  10^/10

  xwormdiscoveryrattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1