General
-
Target
XClient.exe
-
Size
41KB
-
Sample
240523-kklq6sba43
-
MD5
cb09c9133f40c4903525fa5a7df4c405
-
SHA1
e8496990338d09a6b73d4808e3aada0f50cf758a
-
SHA256
ad335bba6ec965c12c17a0fb8ae86aa26beebca57e63fba662757a79f1d6df22
-
SHA512
be757f81deb1b8f43d51332d383ff829524ea94a54a732576b30bdba43a31eee2dfc9cd8ed5dce2cd06e191c307db2ddee687895a0de5ad6bc9709d167631b1f
-
SSDEEP
768:KU0MzzOOfBbw197oyoyv08cr/rZ+IF5Pa9n2e6iOwhM3sik:KU0M/bZbwXsyrs3rd9F492e6iOwSNk
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
5.0
https://pastebin.com/raw/qaWffTar:5
C6npgtaAk9A5snxm
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/qaWffTar
Targets
-
-
Target
XClient.exe
-
Size
41KB
-
MD5
cb09c9133f40c4903525fa5a7df4c405
-
SHA1
e8496990338d09a6b73d4808e3aada0f50cf758a
-
SHA256
ad335bba6ec965c12c17a0fb8ae86aa26beebca57e63fba662757a79f1d6df22
-
SHA512
be757f81deb1b8f43d51332d383ff829524ea94a54a732576b30bdba43a31eee2dfc9cd8ed5dce2cd06e191c307db2ddee687895a0de5ad6bc9709d167631b1f
-
SSDEEP
768:KU0MzzOOfBbw197oyoyv08cr/rZ+IF5Pa9n2e6iOwhM3sik:KU0M/bZbwXsyrs3rd9F492e6iOwSNk
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-