Overview

overview

10

Static

static

10

XCliwwent.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XCliwwent.exe

  • Size

    36KB

  • Sample

    240524-q66alagd74

  • MD5

    47978d37991923fe10c8a2eda94b54e5

  • SHA1

    be6a3f5ba728171c75c89eafc306121310b55c13

  • SHA256

    6c23a9902ec13708c31b406e9eb377e8d97c8bfcedbc88125e03ec3ffadf5b4b

  • SHA512

    0546809daa91d617dbcd079caaa339b436aacb5de92070f5b67c22c582d00639a051187fe0528c85947024a9e5c0bbfdc3371b6432dbb74c692d70c0839f213d

  • SSDEEP

    768:B2O/wjF7REa8B/bHh9Q3B7rh/Fu9yIZROfhV/OP:2FVCzHhOx7r5Fu9yMROfKP

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

fax-safely.gl.at.ply.gg:61182

Mutex

SS03BzgRREzhTLGt

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      XCliwwent.exe

    • Size

      36KB

    • MD5

      47978d37991923fe10c8a2eda94b54e5

    • SHA1

      be6a3f5ba728171c75c89eafc306121310b55c13

    • SHA256

      6c23a9902ec13708c31b406e9eb377e8d97c8bfcedbc88125e03ec3ffadf5b4b

    • SHA512

      0546809daa91d617dbcd079caaa339b436aacb5de92070f5b67c22c582d00639a051187fe0528c85947024a9e5c0bbfdc3371b6432dbb74c692d70c0839f213d

    • SSDEEP

      768:B2O/wjF7REa8B/bHh9Q3B7rh/Fu9yIZROfhV/OP:2FVCzHhOx7r5Fu9yMROfKP

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks