General
-
Target
XClient.exe
-
Size
173KB
-
Sample
240525-jyzdrabb7z
-
MD5
e53cfc4155bf01620aaf3ef5041116f2
-
SHA1
50b4d70680945e7e5806de76b47d56d1fc2af985
-
SHA256
7eb3f17102a94b55b2a95688d799bee21e55ad67c1ff6580c6968852705ace95
-
SHA512
63babf167c3ebdebf672213d68a441e3973009f52dc34d0f6bec880f8a9712669c223da43f0cd066da0e5495e885f66f5d2a366f918c07bb97b22fe6c8d58232
-
SSDEEP
3072:xIeFPAg95lvc+b6iTPXGOXx2Bz65/M6If+3Js+3JFkKeTns:xqg7Xbd2xBt25
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
xworm
advertise-located.gl.at.ply.gg:54921
19.ip.gl.ply.gg:54921
-
Install_directory
%AppData%
-
install_file
cmd.exe
Targets
-
-
Target
XClient.exe
-
Size
173KB
-
MD5
e53cfc4155bf01620aaf3ef5041116f2
-
SHA1
50b4d70680945e7e5806de76b47d56d1fc2af985
-
SHA256
7eb3f17102a94b55b2a95688d799bee21e55ad67c1ff6580c6968852705ace95
-
SHA512
63babf167c3ebdebf672213d68a441e3973009f52dc34d0f6bec880f8a9712669c223da43f0cd066da0e5495e885f66f5d2a366f918c07bb97b22fe6c8d58232
-
SSDEEP
3072:xIeFPAg95lvc+b6iTPXGOXx2Bz65/M6If+3Js+3JFkKeTns:xqg7Xbd2xBt25
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-