General
-
Target
XClient.exe
-
Size
32KB
-
Sample
240302-n3dp3adc94
-
MD5
56877a3e1e57771863e6691db7a0a18e
-
SHA1
c9ab6f11382e0b9747bc225313ea288545a2f71b
-
SHA256
3512d29f133707d6bda97a10e181af6b068f54e827f3f1799b3af657e9afc46d
-
SHA512
248d32b91158c762ae3c434e21e1805e2c385b1d987d1bba6145c35d109bdf70b921a38cef09b482eaa985a64e6f0b410abe825d75399b51a28e842f24319930
-
SSDEEP
768:b+CD9JxV5zlMMyoxVJt76NHRVFr9j0Ojhebi:bh9h5J997QHDFr9j0OjQ2
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240221-en
Malware Config
Extracted
xworm
5.0
6.tcp.eu.ngrok.io:12508
<Xwormmm>:1
yqenrdvf5FLgMphW
-
install_file
USB.exe
Targets
-
-
Target
XClient.exe
-
Size
32KB
-
MD5
56877a3e1e57771863e6691db7a0a18e
-
SHA1
c9ab6f11382e0b9747bc225313ea288545a2f71b
-
SHA256
3512d29f133707d6bda97a10e181af6b068f54e827f3f1799b3af657e9afc46d
-
SHA512
248d32b91158c762ae3c434e21e1805e2c385b1d987d1bba6145c35d109bdf70b921a38cef09b482eaa985a64e6f0b410abe825d75399b51a28e842f24319930
-
SSDEEP
768:b+CD9JxV5zlMMyoxVJt76NHRVFr9j0Ojhebi:bh9h5J997QHDFr9j0OjQ2
-
Detect Xworm Payload
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Sets desktop wallpaper using registry
-