General
-
Target
XClient.exe
-
Size
245KB
-
Sample
240511-n99q3sab46
-
MD5
8514e447cbf1f4e469b068e00c081976
-
SHA1
63bf10cb68dec396255cb6c541c4120280c0b237
-
SHA256
c6451291df83bdd8b0af55160337e37a0f82cc3611475c05728bc50cd9777a5d
-
SHA512
68c75b3b2d74cb2fb154ba2c133fe0b2604aab553915d69348ba7c461558c6937b478dfaa208af30316744ba16f3c3f26b40e7fe9e4e6d993f9c8bb14402599b
-
SSDEEP
6144:6dfCUJQb8RaGHUhcX7elbKTua9bfF/H9d9n:VURaGH3X3u+
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240508-en
Malware Config
Extracted
xworm
140.99.97.156:7000
-
Install_directory
%ProgramData%
-
install_file
VLC_Media.exe
Targets
-
-
Target
XClient.exe
-
Size
245KB
-
MD5
8514e447cbf1f4e469b068e00c081976
-
SHA1
63bf10cb68dec396255cb6c541c4120280c0b237
-
SHA256
c6451291df83bdd8b0af55160337e37a0f82cc3611475c05728bc50cd9777a5d
-
SHA512
68c75b3b2d74cb2fb154ba2c133fe0b2604aab553915d69348ba7c461558c6937b478dfaa208af30316744ba16f3c3f26b40e7fe9e4e6d993f9c8bb14402599b
-
SSDEEP
6144:6dfCUJQb8RaGHUhcX7elbKTua9bfF/H9d9n:VURaGH3X3u+
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-