General
-
Target
XClient.exe
-
Size
140KB
-
Sample
240428-bhncjsce75
-
MD5
ba590e758bf7f43c86ddc06f39dd2347
-
SHA1
f4acbb1bdee1e31f4430af059a67cd136491a60e
-
SHA256
c9c4abd3b029e4afafec56a5ee940b4d14444d27c9b0da4794b3cfe047236695
-
SHA512
17e46beb2d57acc1f9f4a9c959d2f9fadb53158a6a02bd93eece88099655f8246a6cf325c8853e7e45b3b002fdc76c3a528f1972d6674ef883670ebe3244b2d6
-
SSDEEP
3072:0G/pS61n7sEbZVnJbkLiITO2DIqmyBer:0x6hoEbv5UIqm
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
pastebin_url
https://pastebin.com/raw/PG3MaVGP
Targets
-
-
Target
XClient.exe
-
Size
140KB
-
MD5
ba590e758bf7f43c86ddc06f39dd2347
-
SHA1
f4acbb1bdee1e31f4430af059a67cd136491a60e
-
SHA256
c9c4abd3b029e4afafec56a5ee940b4d14444d27c9b0da4794b3cfe047236695
-
SHA512
17e46beb2d57acc1f9f4a9c959d2f9fadb53158a6a02bd93eece88099655f8246a6cf325c8853e7e45b3b002fdc76c3a528f1972d6674ef883670ebe3244b2d6
-
SSDEEP
3072:0G/pS61n7sEbZVnJbkLiITO2DIqmyBer:0x6hoEbv5UIqm
Score10/10-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-