General

  • Target

    XClient.exe

  • Size

    81KB

  • Sample

    240526-zcjzyabc3t

  • MD5

    66beec5a6357691c4bcd7644541ba90e

  • SHA1

    106a93ab13520ab958d5939fedeae5c2777421b2

  • SHA256

    15774468a29e033a2c6731cedca5c50c1168433031ad362394300ef65c6e8a04

  • SHA512

    db458b6a48dddc37589d1248cfd56ba1eaf808e78f7889bfe71ba0529564b3047c6b875bc4835b515cbf9ac09a9a691d30e8bb4ee219bba22609f7d393eb51c8

  • SSDEEP

    1536:r96LejJMrKPNKQRZ2lDGN+bJCu2wQFEfn6JbOlQvRUYmK:QeXYQRwli+bJCIybOlC+K

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:64493

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      XClient.exe

    • Size

      81KB

    • MD5

      66beec5a6357691c4bcd7644541ba90e

    • SHA1

      106a93ab13520ab958d5939fedeae5c2777421b2

    • SHA256

      15774468a29e033a2c6731cedca5c50c1168433031ad362394300ef65c6e8a04

    • SHA512

      db458b6a48dddc37589d1248cfd56ba1eaf808e78f7889bfe71ba0529564b3047c6b875bc4835b515cbf9ac09a9a691d30e8bb4ee219bba22609f7d393eb51c8

    • SSDEEP

      1536:r96LejJMrKPNKQRZ2lDGN+bJCu2wQFEfn6JbOlQvRUYmK:QeXYQRwli+bJCIybOlC+K

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks