General
-
Target
XClient.exe
-
Size
87KB
-
Sample
240504-enejdafg23
-
MD5
97694a36c5d198da4450833bfb9d0694
-
SHA1
cc0ec0b78681eab11264d69c4e9777c988656d33
-
SHA256
5c93af044fb87057ef7867cd98771999469b136b1f060b0bfd5e4e743203c23e
-
SHA512
762ca2276d5e5bed6aed62c4acc59531438f50689464c6ef476a02c8740088c044c132ca5a65baa5a35bfa5d17b55851d3d511c27eaf9ad09618616d4087874e
-
SSDEEP
1536:i/RBvo35nHYjBzVWFcOlPIbbiJ91+6fQOP3zy8pKDk:oBo354jBQFcOlgbbG91PQOfzy8ak
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
xworm
centre-clan.gl.at.ply.gg:40354
-
Install_directory
%Temp%
-
install_file
svchost.exe
Targets
-
-
Target
XClient.exe
-
Size
87KB
-
MD5
97694a36c5d198da4450833bfb9d0694
-
SHA1
cc0ec0b78681eab11264d69c4e9777c988656d33
-
SHA256
5c93af044fb87057ef7867cd98771999469b136b1f060b0bfd5e4e743203c23e
-
SHA512
762ca2276d5e5bed6aed62c4acc59531438f50689464c6ef476a02c8740088c044c132ca5a65baa5a35bfa5d17b55851d3d511c27eaf9ad09618616d4087874e
-
SSDEEP
1536:i/RBvo35nHYjBzVWFcOlPIbbiJ91+6fQOP3zy8pKDk:oBo354jBQFcOlgbbG91PQOfzy8ak
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-