General
-
Target
XClient.exe
-
Size
81KB
-
Sample
240526-zcjzyabc3t
-
MD5
66beec5a6357691c4bcd7644541ba90e
-
SHA1
106a93ab13520ab958d5939fedeae5c2777421b2
-
SHA256
15774468a29e033a2c6731cedca5c50c1168433031ad362394300ef65c6e8a04
-
SHA512
db458b6a48dddc37589d1248cfd56ba1eaf808e78f7889bfe71ba0529564b3047c6b875bc4835b515cbf9ac09a9a691d30e8bb4ee219bba22609f7d393eb51c8
-
SSDEEP
1536:r96LejJMrKPNKQRZ2lDGN+bJCu2wQFEfn6JbOlQvRUYmK:QeXYQRwli+bJCIybOlC+K
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:64493
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
XClient.exe
-
Size
81KB
-
MD5
66beec5a6357691c4bcd7644541ba90e
-
SHA1
106a93ab13520ab958d5939fedeae5c2777421b2
-
SHA256
15774468a29e033a2c6731cedca5c50c1168433031ad362394300ef65c6e8a04
-
SHA512
db458b6a48dddc37589d1248cfd56ba1eaf808e78f7889bfe71ba0529564b3047c6b875bc4835b515cbf9ac09a9a691d30e8bb4ee219bba22609f7d393eb51c8
-
SSDEEP
1536:r96LejJMrKPNKQRZ2lDGN+bJCu2wQFEfn6JbOlQvRUYmK:QeXYQRwli+bJCIybOlC+K
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-