Resubmissions
26-05-2024 17:06
240526-vmg6wade6v 1026-05-2024 12:49
240526-p2q5faeh27 1026-05-2024 12:43
240526-pyanaadf3s 10Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
26-05-2024 17:06
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240215-en
4 signatures
150 seconds
General
-
Target
XClient.exe
-
Size
32KB
-
MD5
53d9b475ab5b6a31e7b89c28d49b2196
-
SHA1
118000b987a127ae6065f9739b583038e0f1780b
-
SHA256
5b64cc2c1a7d550a5fb1d344d373be0cf9a8a5041f5e7b33534a9aaee06a9073
-
SHA512
302b7e312298445df0fbecd5d8fa54086eefa85b2b3ed238481a385a5fa2a148c11b681c1a5a57dd20e5602f2430185738ab5ac134f3d2d965760ff84ec7f949
-
SSDEEP
768:+RPD9OQhx/BV3Tw4e1dVFE9jiOjhfbhO:+d9OW/V3U4epFE9jiOjJFO
Malware Config
Extracted
Family
xworm
Version
5.0
C2
0.tcp.eu.ngrok.io:10897
Mutex
QUjY5ulhX0UCX61h
Attributes
-
install_file
USB.exe
aes.plain
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4388-0-0x00000000003E0000-0x00000000003EE000-memory.dmp family_xworm -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
XClient.exedescription pid process Token: SeDebugPrivilege 4388 XClient.exe