xenarmor | d8bba9bd5b8debd7ffe33ad35c9e15fd792fff9f353d8a1d37f9898810a5c551

General

Target

XClient.exe
Size

46KB
Sample

240412-pe287add3s
MD5

bfae7d0183a8c70cf8f265326951cf99
SHA1

4ceb0fbd42709154b2ae2dc9f12c06fe73849fcd
SHA256

d8bba9bd5b8debd7ffe33ad35c9e15fd792fff9f353d8a1d37f9898810a5c551
SHA512

a8d14809291b2d4a58a1b6d16d7e821e0fc0eb2415d25a2cc9dfeb5edb582c3b5e0ea8fb44bb1d989758778e5fab7ece2841913e9b0cee09cc9fd0fa76223dad
SSDEEP

768:KpbBDHT/CWTNYoxO22iCVd7cQ1gFEPG9cSS36vOChpzYunQ7:KpVDHzRpWiWwF19RC6vOCXpQ7

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

6.tcp.eu.ngrok.io:13248

Mutex

SVIIzSoR4OLYThbj

Attributes

Install_directory
%AppData%
install_file
XClient.exe
telegram
https://api.telegram.org/bot7002788779:AAGNt_LDnuDvtdHHRg8UnuUaJp0gRFa9ZYo/sendMessage?chat_id=5487555551

aes.plain

Targets

- Target
  
  XClient.exe
- Size
  
  46KB
- MD5
  
  bfae7d0183a8c70cf8f265326951cf99
- SHA1
  
  4ceb0fbd42709154b2ae2dc9f12c06fe73849fcd
- SHA256
  
  d8bba9bd5b8debd7ffe33ad35c9e15fd792fff9f353d8a1d37f9898810a5c551
- SHA512
  
  a8d14809291b2d4a58a1b6d16d7e821e0fc0eb2415d25a2cc9dfeb5edb582c3b5e0ea8fb44bb1d989758778e5fab7ece2841913e9b0cee09cc9fd0fa76223dad
- SSDEEP
  
  768:KpbBDHT/CWTNYoxO22iCVd7cQ1gFEPG9cSS36vOChpzYunQ7:KpVDHzRpWiWwF19RC6vOCXpQ7
Score

10^/10

xenarmor xworm collection password persistence rat recovery spyware stealer trojan upx
- Detect Xworm Payload
- XenArmor Suite
  XenArmor is as suite of password recovery tools for various application.
  recovery password xenarmor
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2