xworm | XClient[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

XClient.exe
Size

58KB
MD5

d1b2589e478533aa582435561ceaa2a1
SHA1

8649c2f29cc4cbfc5fa9e0baf6749c33066cc681
SHA256

111a59530ef4368d913431d7895404b22650a3856f4e9b2b234460543c36a807
SHA512

a6431ab49ab044ec4c41711e4eaf40f52425aeb5839d85f29db0cdd775f4f8c500267a81f94cf1499548ca785d2bdb3a5df2e50ce975aeff5aaba57c76121bfb
SSDEEP

1536:3WL1NY4h/0TrHsPLDevkb7PXozeDN62GOJUfnkh:2FhouXMkbzuUnGOJUfnkh

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

funut-25273.portmap.host:24924

Attributes

Install_directory
%Userprofile%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
XClient.exe

Files

XClient.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 56KB - Virtual size: 55KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ