General

  • Target

    XClient.exe

  • Size

    68KB

  • Sample

    240526-xxcp9ahf46

  • MD5

    d70e28bc5d537045d9f49ed09641cd6c

  • SHA1

    027084899e1fa20a22eaf4d15a6815e3c1d6379d

  • SHA256

    a0466ffc10e366308a02c612d782bf46e90491b989591e64d6fa9f7364d036aa

  • SHA512

    19e11314906e7e11365315e7137aa95ba2b24e0c68a0261e655c520dfd81c762ab58998bd2c7a981a7aba74faaa0a9af6865764e51d932fd95edf5d94bbe4771

  • SSDEEP

    1536:e/JHKC4DZcHTR6yuc4RX7DaC+bIqiVo85jXP7GOaeen1+vaG0fkV:YL4DZcH2DRf1+bIqiVB9fKOonGaGxV

Malware Config

Extracted

Family

xworm

C2

IICAcro-58060.portmap.io:58060

Attributes
  • Install_directory

    %Public%

  • install_file

    svchost.exe

Targets

    • Target

      XClient.exe

    • Size

      68KB

    • MD5

      d70e28bc5d537045d9f49ed09641cd6c

    • SHA1

      027084899e1fa20a22eaf4d15a6815e3c1d6379d

    • SHA256

      a0466ffc10e366308a02c612d782bf46e90491b989591e64d6fa9f7364d036aa

    • SHA512

      19e11314906e7e11365315e7137aa95ba2b24e0c68a0261e655c520dfd81c762ab58998bd2c7a981a7aba74faaa0a9af6865764e51d932fd95edf5d94bbe4771

    • SSDEEP

      1536:e/JHKC4DZcHTR6yuc4RX7DaC+bIqiVo85jXP7GOaeen1+vaG0fkV:YL4DZcH2DRf1+bIqiVB9fKOonGaGxV

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Drops startup file

    • Loads dropped DLL

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks