Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240508-en
General
-
Target
XClient.exe
-
Size
216KB
-
MD5
a6d3d1061fb61a90a933acceb1af5358
-
SHA1
ea62a67f7a0726e76e3a849652672dd95868bb00
-
SHA256
370ea3e983c58ed74d3ee9ec54663ff29dba195a040d0fe56c20b7554cf18472
-
SHA512
9341af271094515df448e9ee9273e2d8a3b1101feaaeef64838c2ff908bfdc56b6afc688f117c971e1eb5adc5c8304cec936bac20ff03c23430a6e945c55637d
-
SSDEEP
3072:lBxhsxnroxM7btQ+ROU0Z5hh4DAiKeNhK1pEeGklktiVMPneSYHl:vx+nr2M7bK+YLheDAiKeNkLzblk
Malware Config
Extracted
xworm
2.tcp.eu.ngrok.io:16807
-
Install_directory
%AppData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule sample family_xworm -
Xworm family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource XClient.exe
Files
-
XClient.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 66KB - Virtual size: 65KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 149KB - Virtual size: 148KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ