General

  • Target

    XClient.exe

  • Size

    37KB

  • Sample

    240526-w9ly1sff6y

  • MD5

    6d8d71abc75ed744e539cb3956a64d79

  • SHA1

    d7b822a9d3937b33f9bf194af10b686f00d25c0e

  • SHA256

    9195e804fa2c17c635c41bdb01ae76f0603621d70923e3b807d111fc50bea85c

  • SHA512

    263ff20d0a969f39b729c0cb469ade45c1f2eaf8b0c0520e2b1e8adeee9832d63b9407a1798694f12c8c96ae6e46cf0424d290e5e9beff67a93e8b3cf97f7d86

  • SSDEEP

    768:3Tz26YAWq8Kt1Cy9eTg1bxVzFg9UPO/himE/ZG:3T1YAFdjpc8xFFg9UPO/QzRG

Malware Config

Extracted

Family

xworm

Version

5.0

C2

19.ip.gl.ply.gg:64493

Mutex

evl50XXc9zAoNqyF

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Targets

    • Target

      XClient.exe

    • Size

      37KB

    • MD5

      6d8d71abc75ed744e539cb3956a64d79

    • SHA1

      d7b822a9d3937b33f9bf194af10b686f00d25c0e

    • SHA256

      9195e804fa2c17c635c41bdb01ae76f0603621d70923e3b807d111fc50bea85c

    • SHA512

      263ff20d0a969f39b729c0cb469ade45c1f2eaf8b0c0520e2b1e8adeee9832d63b9407a1798694f12c8c96ae6e46cf0424d290e5e9beff67a93e8b3cf97f7d86

    • SSDEEP

      768:3Tz26YAWq8Kt1Cy9eTg1bxVzFg9UPO/himE/ZG:3T1YAFdjpc8xFFg9UPO/QzRG

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks