Overview

overview

10

Static

static

10

WizClient.exe

windows7-x64

10

WizClient.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    WizClient.bat

  • Size

    77KB

  • Sample

    240405-vqq8yshf8v

  • MD5

    4c28696d2324f34fa0528a74684d28bb

  • SHA1

    56b193476cecfdc99ffc6702ac46fb3b54a2fc42

  • SHA256

    46a4f0f3e2bd14f5d14ecde80496d34ff32f722e920fd76446a40b4ab57c90a5

  • SHA512

    741ee7ec64e2bdc2d1980f99ab84ff01c3702db46a25bfe017c6ce108612f106db869380991d0354242245f832c75b253d63dedbdc22f676f429450be803db67

  • SSDEEP

    1536:7H30LLdNMKREeZCDk8zSAxTbAquZbvmmyW80ZG/Qm6cWP6UOiTI1V7tgS:7HkPdGKdEDkg9AVZbvmh5fYUArOtfKS

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

18.ip.gl.ply.gg:35814

wiz.bounceme.net:6000
Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      WizClient.bat

    • Size

      77KB

    • MD5

      4c28696d2324f34fa0528a74684d28bb

    • SHA1

      56b193476cecfdc99ffc6702ac46fb3b54a2fc42

    • SHA256

      46a4f0f3e2bd14f5d14ecde80496d34ff32f722e920fd76446a40b4ab57c90a5

    • SHA512

      741ee7ec64e2bdc2d1980f99ab84ff01c3702db46a25bfe017c6ce108612f106db869380991d0354242245f832c75b253d63dedbdc22f676f429450be803db67

    • SSDEEP

      1536:7H30LLdNMKREeZCDk8zSAxTbAquZbvmmyW80ZG/Qm6cWP6UOiTI1V7tgS:7HkPdGKdEDkg9AVZbvmh5fYUArOtfKS

    Score
    10/10
    xwormpersistencerattrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks