General
-
Target
XClient.exe
-
Size
216KB
-
Sample
240512-qd9gjsga6s
-
MD5
a6d3d1061fb61a90a933acceb1af5358
-
SHA1
ea62a67f7a0726e76e3a849652672dd95868bb00
-
SHA256
370ea3e983c58ed74d3ee9ec54663ff29dba195a040d0fe56c20b7554cf18472
-
SHA512
9341af271094515df448e9ee9273e2d8a3b1101feaaeef64838c2ff908bfdc56b6afc688f117c971e1eb5adc5c8304cec936bac20ff03c23430a6e945c55637d
-
SSDEEP
3072:lBxhsxnroxM7btQ+ROU0Z5hh4DAiKeNhK1pEeGklktiVMPneSYHl:vx+nr2M7bK+YLheDAiKeNkLzblk
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
2.tcp.eu.ngrok.io:16807
-
Install_directory
%AppData%
-
install_file
svchost.exe
Targets
-
-
Target
XClient.exe
-
Size
216KB
-
MD5
a6d3d1061fb61a90a933acceb1af5358
-
SHA1
ea62a67f7a0726e76e3a849652672dd95868bb00
-
SHA256
370ea3e983c58ed74d3ee9ec54663ff29dba195a040d0fe56c20b7554cf18472
-
SHA512
9341af271094515df448e9ee9273e2d8a3b1101feaaeef64838c2ff908bfdc56b6afc688f117c971e1eb5adc5c8304cec936bac20ff03c23430a6e945c55637d
-
SSDEEP
3072:lBxhsxnroxM7btQ+ROU0Z5hh4DAiKeNhK1pEeGklktiVMPneSYHl:vx+nr2M7bK+YLheDAiKeNkLzblk
-
Detect Xworm Payload
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-