General
-
Target
XClient.exe
-
Size
37KB
-
Sample
240526-w9ly1sff6y
-
MD5
6d8d71abc75ed744e539cb3956a64d79
-
SHA1
d7b822a9d3937b33f9bf194af10b686f00d25c0e
-
SHA256
9195e804fa2c17c635c41bdb01ae76f0603621d70923e3b807d111fc50bea85c
-
SHA512
263ff20d0a969f39b729c0cb469ade45c1f2eaf8b0c0520e2b1e8adeee9832d63b9407a1798694f12c8c96ae6e46cf0424d290e5e9beff67a93e8b3cf97f7d86
-
SSDEEP
768:3Tz26YAWq8Kt1Cy9eTg1bxVzFg9UPO/himE/ZG:3T1YAFdjpc8xFFg9UPO/QzRG
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
5.0
19.ip.gl.ply.gg:64493
evl50XXc9zAoNqyF
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
XClient.exe
-
Size
37KB
-
MD5
6d8d71abc75ed744e539cb3956a64d79
-
SHA1
d7b822a9d3937b33f9bf194af10b686f00d25c0e
-
SHA256
9195e804fa2c17c635c41bdb01ae76f0603621d70923e3b807d111fc50bea85c
-
SHA512
263ff20d0a969f39b729c0cb469ade45c1f2eaf8b0c0520e2b1e8adeee9832d63b9407a1798694f12c8c96ae6e46cf0424d290e5e9beff67a93e8b3cf97f7d86
-
SSDEEP
768:3Tz26YAWq8Kt1Cy9eTg1bxVzFg9UPO/himE/ZG:3T1YAFdjpc8xFFg9UPO/QzRG
Score10/10-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-