General
-
Target
XClient.exe
-
Size
71KB
-
Sample
240527-g1fy3sag2t
-
MD5
e4b28b07cd9fe9348f9150bd74594fe8
-
SHA1
1d7c53695f448668ca261834f833ca07eb85f043
-
SHA256
9e3d0a31913d6abacb86a61de51a502bcde8d85d9bb3d3bb938cf0b3a5d1cbb5
-
SHA512
0b7251510791567271153206720d730ac2f453abbc6facc69ed45310e57cadd111148391e6113ab9f2e672ca4cb5152c9a3ed161eee1853e11dc6443665e0009
-
SSDEEP
1536:TeadCBv/ROFRG8yE0qlhH25+b9CPGgEAE3FXwc6Zb+QOFyCv7:TPYEF88yE0t+b9CPGNEOFT7
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
sent-down.gl.at.ply.gg:2905
-
Install_directory
%AppData%
-
install_file
sys.exe
Targets
-
-
Target
XClient.exe
-
Size
71KB
-
MD5
e4b28b07cd9fe9348f9150bd74594fe8
-
SHA1
1d7c53695f448668ca261834f833ca07eb85f043
-
SHA256
9e3d0a31913d6abacb86a61de51a502bcde8d85d9bb3d3bb938cf0b3a5d1cbb5
-
SHA512
0b7251510791567271153206720d730ac2f453abbc6facc69ed45310e57cadd111148391e6113ab9f2e672ca4cb5152c9a3ed161eee1853e11dc6443665e0009
-
SSDEEP
1536:TeadCBv/ROFRG8yE0qlhH25+b9CPGgEAE3FXwc6Zb+QOFyCv7:TPYEF88yE0t+b9CPGNEOFT7
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-