Overview

overview

10

Static

static

10

XClient.exe

windows11-21h2-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    XClient.exe

  • Size

    74KB

  • Sample

    240410-spq6fscf33

  • MD5

    ede77c0ee1f3d140d6b192eb9429ae42

  • SHA1

    134965c22e20441d3424d519e3abc0acdda2c101

  • SHA256

    ff9fb73073e26472f823b5fb6833ebe3df2026342f1965de73b0a4c7630ed2ab

  • SHA512

    8bd90810bf8f16d40fd5c4b17d12a1d1b02737d93c4d7e3d5cf2340a13e55cd26cd0ed8b0dfd8e8d80a36f6f0b5ca80600df128c36c67fca0981c906a3fc7cc5

  • SSDEEP

    1536:rijXEGhTCmWPjvsmCA6yZPbb3QkX13NI+mOjfMhU6:KXEGetnNbbXmOjZ6

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %Public%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/UWpQULMP

Targets

    • Target

      XClient.exe

    • Size

      74KB

    • MD5

      ede77c0ee1f3d140d6b192eb9429ae42

    • SHA1

      134965c22e20441d3424d519e3abc0acdda2c101

    • SHA256

      ff9fb73073e26472f823b5fb6833ebe3df2026342f1965de73b0a4c7630ed2ab

    • SHA512

      8bd90810bf8f16d40fd5c4b17d12a1d1b02737d93c4d7e3d5cf2340a13e55cd26cd0ed8b0dfd8e8d80a36f6f0b5ca80600df128c36c67fca0981c906a3fc7cc5

    • SSDEEP

      1536:rijXEGhTCmWPjvsmCA6yZPbb3QkX13NI+mOjfMhU6:KXEGetnNbbXmOjZ6

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks