Overview

overview

10

Static

static

10

CLENT.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CLENT.exe

  • Size

    41KB

  • Sample

    240428-g834ksac21

  • MD5

    be28690cdf6506575c00e0cec6757c66

  • SHA1

    13a72c99c837ec405d7861bf8e768a986bb9429e

  • SHA256

    22b8c4ed7f497d77701df17eb46149e91521f4ba339ca8383d83d3f99e26986c

  • SHA512

    f6bf3455b453766d61c4531a91a86829b277f91dbd9dcffa41fbd37b349ce33dc93a8ffe1f14dcb3927939c8973c90ec24fbdf1d21ff27bbc1be5275be999cee

  • SSDEEP

    768:DNreDweeLOoHdSgDdeLRXvgggULJF5PG9pmjD6vOwh53Euzp:D4DweQldSgDI9Xvvg+FI9AjD6vOwjFV

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:29058

tue-jake.gl.at.ply.gg:29058
Mutex

uLAf44bP3Na3sWni

Attributes
  • Install_directory

    %AppData%

  • install_file

    $77client.exe

aes.plain

Targets

    • Target

      CLENT.exe

    • Size

      41KB

    • MD5

      be28690cdf6506575c00e0cec6757c66

    • SHA1

      13a72c99c837ec405d7861bf8e768a986bb9429e

    • SHA256

      22b8c4ed7f497d77701df17eb46149e91521f4ba339ca8383d83d3f99e26986c

    • SHA512

      f6bf3455b453766d61c4531a91a86829b277f91dbd9dcffa41fbd37b349ce33dc93a8ffe1f14dcb3927939c8973c90ec24fbdf1d21ff27bbc1be5275be999cee

    • SSDEEP

      768:DNreDweeLOoHdSgDdeLRXvgggULJF5PG9pmjD6vOwh53Euzp:D4DweQldSgDI9Xvvg+FI9AjD6vOwjFV

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks