Overview

overview

10

Static

static

1

XClient.bat

windows7-x64

1

XClient.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClient.bat

  • Size

    64KB

  • Sample

    240522-wqq4mabd48

  • MD5

    b9ba38c08e5f9113c31434ae324b3a67

  • SHA1

    c5a03303b400dcac370989ba8e51e0b0a3c0622d

  • SHA256

    b32ef974fa3195e1e88e290cb4b98f156e8ec3a5a053a8c781ecc2a8e47bf408

  • SHA512

    a6960a62f1034441acce040366313c4e70563c4b57c8ca2fa30161e06f6489a86de7af52d3f5c5f69e806a8c0097ed7367e136070f40443cfe73945cb86d099c

  • SSDEEP

    768:AO70rJOxpoeQhjCEqvimrMRLdJmmC5UXfs3NadfzteQCv/vFyVzgZpB+20JaaaTg:3CgSGNIfso7tqvFysTTdpePNKaAURYja

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

83.143.112.35:7000

Mutex

CyKBTjaY0aAqNzKT

Attributes
  • Install_directory

    %Temp%

  • install_file

    Chrome.exe

  • telegram

    https://api.telegram.org/bot6671364658:AAFSR01MD7rod9u5ExKsea5-2_kUtJR70Ks

aes.plain

Targets

    • Target

      XClient.bat

    • Size

      64KB

    • MD5

      b9ba38c08e5f9113c31434ae324b3a67

    • SHA1

      c5a03303b400dcac370989ba8e51e0b0a3c0622d

    • SHA256

      b32ef974fa3195e1e88e290cb4b98f156e8ec3a5a053a8c781ecc2a8e47bf408

    • SHA512

      a6960a62f1034441acce040366313c4e70563c4b57c8ca2fa30161e06f6489a86de7af52d3f5c5f69e806a8c0097ed7367e136070f40443cfe73945cb86d099c

    • SSDEEP

      768:AO70rJOxpoeQhjCEqvimrMRLdJmmC5UXfs3NadfzteQCv/vFyVzgZpB+20JaaaTg:3CgSGNIfso7tqvFysTTdpePNKaAURYja

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks