General

  • Target

    XClient.exe

  • Size

    87KB

  • Sample

    240504-enejdafg23

  • MD5

    97694a36c5d198da4450833bfb9d0694

  • SHA1

    cc0ec0b78681eab11264d69c4e9777c988656d33

  • SHA256

    5c93af044fb87057ef7867cd98771999469b136b1f060b0bfd5e4e743203c23e

  • SHA512

    762ca2276d5e5bed6aed62c4acc59531438f50689464c6ef476a02c8740088c044c132ca5a65baa5a35bfa5d17b55851d3d511c27eaf9ad09618616d4087874e

  • SSDEEP

    1536:i/RBvo35nHYjBzVWFcOlPIbbiJ91+6fQOP3zy8pKDk:oBo354jBQFcOlgbbG91PQOfzy8ak

Malware Config

Extracted

Family

xworm

C2

centre-clan.gl.at.ply.gg:40354

Attributes
  • Install_directory

    %Temp%

  • install_file

    svchost.exe

Targets

    • Target

      XClient.exe

    • Size

      87KB

    • MD5

      97694a36c5d198da4450833bfb9d0694

    • SHA1

      cc0ec0b78681eab11264d69c4e9777c988656d33

    • SHA256

      5c93af044fb87057ef7867cd98771999469b136b1f060b0bfd5e4e743203c23e

    • SHA512

      762ca2276d5e5bed6aed62c4acc59531438f50689464c6ef476a02c8740088c044c132ca5a65baa5a35bfa5d17b55851d3d511c27eaf9ad09618616d4087874e

    • SSDEEP

      1536:i/RBvo35nHYjBzVWFcOlPIbbiJ91+6fQOP3zy8pKDk:oBo354jBQFcOlgbbG91PQOfzy8ak

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks