General
-
Target
XClient.exe
-
Size
80KB
-
Sample
240420-zexc2shh8t
-
MD5
c2c1ba206377942b6b647f39d03904b9
-
SHA1
d0b9e4fb55ffdf2cb5a78b7e881d9ce641d9c17b
-
SHA256
40751536a5f6d6a98f181c1ccd19c3dcbd51a194d6ec282ab9141a3ee599c4a5
-
SHA512
83d885cd216d9e2a79e05b4270b85d1503f579548e4733ff5ae53bc1513a184345072f64216ad9445ebc2fa57af55b14277a845b1dfde152622fafbb91c07f05
-
SSDEEP
1536:RBeQHCHtsCRq1GS8+2KWUGPh8XGAWptciXuCx/sw9lp/bXK0apO5O6u7rsOE1aSE:neRNsCRq1GS8+2DGhP8V/9Xb6BpJYOEY
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
System.exe
-
pastebin_url
https://pastebin.com/raw/erNS5DCf
-
telegram
https://api.telegram.org/bot6322711372:AAGbIfXFhlNS1SFeiUdz8wnaxv2bCiayqnI/sendMessage?chat_id=1098594855
Targets
-
-
Target
XClient.exe
-
Size
80KB
-
MD5
c2c1ba206377942b6b647f39d03904b9
-
SHA1
d0b9e4fb55ffdf2cb5a78b7e881d9ce641d9c17b
-
SHA256
40751536a5f6d6a98f181c1ccd19c3dcbd51a194d6ec282ab9141a3ee599c4a5
-
SHA512
83d885cd216d9e2a79e05b4270b85d1503f579548e4733ff5ae53bc1513a184345072f64216ad9445ebc2fa57af55b14277a845b1dfde152622fafbb91c07f05
-
SSDEEP
1536:RBeQHCHtsCRq1GS8+2KWUGPh8XGAWptciXuCx/sw9lp/bXK0apO5O6u7rsOE1aSE:neRNsCRq1GS8+2DGhP8V/9Xb6BpJYOEY
Score10/10-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-