Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClient.exe

  • Size

    46KB

  • Sample

    240412-pe287add3s

  • MD5

    bfae7d0183a8c70cf8f265326951cf99

  • SHA1

    4ceb0fbd42709154b2ae2dc9f12c06fe73849fcd

  • SHA256

    d8bba9bd5b8debd7ffe33ad35c9e15fd792fff9f353d8a1d37f9898810a5c551

  • SHA512

    a8d14809291b2d4a58a1b6d16d7e821e0fc0eb2415d25a2cc9dfeb5edb582c3b5e0ea8fb44bb1d989758778e5fab7ece2841913e9b0cee09cc9fd0fa76223dad

  • SSDEEP

    768:KpbBDHT/CWTNYoxO22iCVd7cQ1gFEPG9cSS36vOChpzYunQ7:KpVDHzRpWiWwF19RC6vOCXpQ7

Score
10/10
xenarmorxwormcollectionpasswordpersistenceratrecoveryspywarestealertrojanupx

Malware Config

Extracted

Family

xworm

Version

5.0

C2

6.tcp.eu.ngrok.io:13248

Mutex

SVIIzSoR4OLYThbj

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • telegram

    https://api.telegram.org/bot7002788779:AAGNt_LDnuDvtdHHRg8UnuUaJp0gRFa9ZYo/sendMessage?chat_id=5487555551

aes.plain
1
8ECHmf2rBdMeBiNgcj5yQA==

Targets

    • Target

      XClient.exe

    • Size

      46KB

    • MD5

      bfae7d0183a8c70cf8f265326951cf99

    • SHA1

      4ceb0fbd42709154b2ae2dc9f12c06fe73849fcd

    • SHA256

      d8bba9bd5b8debd7ffe33ad35c9e15fd792fff9f353d8a1d37f9898810a5c551

    • SHA512

      a8d14809291b2d4a58a1b6d16d7e821e0fc0eb2415d25a2cc9dfeb5edb582c3b5e0ea8fb44bb1d989758778e5fab7ece2841913e9b0cee09cc9fd0fa76223dad

    • SSDEEP

      768:KpbBDHT/CWTNYoxO22iCVd7cQ1gFEPG9cSS36vOChpzYunQ7:KpVDHzRpWiWwF19RC6vOCXpQ7

    Score
    10/10
    xenarmorxwormcollectionpasswordpersistenceratrecoveryspywarestealertrojanupx

    • Detect Xworm Payload

    • XenArmor Suite

      XenArmor is as suite of password recovery tools for various application.

      recoverypasswordxenarmor

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.