General
-
Target
XClient2.exe
-
Size
42KB
-
Sample
240521-nagw1sbd74
-
MD5
1ec8a6cea5e8dc9b654b2e1883df2d0a
-
SHA1
742221275c4b16fd5fb9d26bcf8dcbefabfcb187
-
SHA256
986ae9a9ddb4c6f5ad6e025e7e33b88e8ad7d44873cdbb95c36008c8d88acc53
-
SHA512
eb0d0cd8a0aa7bc7bf921aa310d3462b633a098e8d304e124054d2834b4394b48b81aee9c209391e7bb25796ead0b633646ce0afb2b904f8805f3788a4b0dc9a
-
SSDEEP
768:kUlyU7A+3G4R7e8ccs6B3p9cr+pF5PG9eD06vOwhF35iv:DV7zZLFPcraFI9k06vOwXMv
Malware Config
Extracted
xworm
5.0
xErcLvQIi89NYxG4
-
Install_directory
%ProgramData%
-
install_file
Calculator.exe
-
pastebin_url
https://pastebin.com/raw/8NHjMQQu
-
telegram
https://api.telegram.org/bot7167058941:AAEJhrFmM-_DOjntPUu3dU0-dH40X4Umt2M
Targets
-
-
Target
XClient2.exe
-
Size
42KB
-
MD5
1ec8a6cea5e8dc9b654b2e1883df2d0a
-
SHA1
742221275c4b16fd5fb9d26bcf8dcbefabfcb187
-
SHA256
986ae9a9ddb4c6f5ad6e025e7e33b88e8ad7d44873cdbb95c36008c8d88acc53
-
SHA512
eb0d0cd8a0aa7bc7bf921aa310d3462b633a098e8d304e124054d2834b4394b48b81aee9c209391e7bb25796ead0b633646ce0afb2b904f8805f3788a4b0dc9a
-
SSDEEP
768:kUlyU7A+3G4R7e8ccs6B3p9cr+pF5PG9eD06vOwhF35iv:DV7zZLFPcraFI9k06vOwXMv
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-