General

  • Target

    e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe

  • Size

    726KB

  • Sample

    240523-cl33vaac37

  • MD5

    0e9969044f657b12f4cdad27254e5f91

  • SHA1

    41d8196fd7520fa391361a39e3d1c6e6f124f07e

  • SHA256

    e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7

  • SHA512

    2021bc8a0828084bcfbe0af6f997b3847cc0c63fa614db25a9116259b1bf9124eccdf5ad0a1fab37192b535199ad4e5c5570e448be43154baa49bd327db65284

  • SSDEEP

    12288:SMMbni72U8L4042zQ1WVeXFfJoPQ5Puvg8BQcCRjEgTeRJRCIYpu5ssoxU:VMbni723L73/gXFxoY8Y8eckEH

Malware Config

Extracted

Family

xworm

C2

104.250.180.178:7061

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7.exe

    • Size

      726KB

    • MD5

      0e9969044f657b12f4cdad27254e5f91

    • SHA1

      41d8196fd7520fa391361a39e3d1c6e6f124f07e

    • SHA256

      e43ce5c79d5ce46f62d290f6df85e0f75691f332657b7d357631c2df6da91cb7

    • SHA512

      2021bc8a0828084bcfbe0af6f997b3847cc0c63fa614db25a9116259b1bf9124eccdf5ad0a1fab37192b535199ad4e5c5570e448be43154baa49bd327db65284

    • SSDEEP

      12288:SMMbni72U8L4042zQ1WVeXFfJoPQ5Puvg8BQcCRjEgTeRJRCIYpu5ssoxU:VMbni723L73/gXFxoY8Y8eckEH

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Detects Windows executables referencing non-Windows User-Agents

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Tasks