General

  • Target

    XClient.exe

  • Size

    160KB

  • Sample

    240527-jt68ssea77

  • MD5

    55edb485698eeeae4df7a336b556c0be

  • SHA1

    ed16f61cbc3cdf771ffd488dad4313950b818366

  • SHA256

    144eec27ff920413dd4622b9e06558474354ba82881bcb38006665a31c7136c5

  • SHA512

    8503660fabbf7f5ac88932365324968bb85e44dbf1ec2deb58c01676cae636c5a327bf714d39ef571d24c70d9e9819bb921acd9aae04fd0fd7ad96af5d0939ca

  • SSDEEP

    3072:QBiC4pWGb9WxFOAAQBz65/M6If+3Js+3JFkKeTno:QB4PbexBt25

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:64258

147.185.221.17:64258

17.ip.gl.ply.gg:64258

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

Targets

    • Target

      XClient.exe

    • Size

      160KB

    • MD5

      55edb485698eeeae4df7a336b556c0be

    • SHA1

      ed16f61cbc3cdf771ffd488dad4313950b818366

    • SHA256

      144eec27ff920413dd4622b9e06558474354ba82881bcb38006665a31c7136c5

    • SHA512

      8503660fabbf7f5ac88932365324968bb85e44dbf1ec2deb58c01676cae636c5a327bf714d39ef571d24c70d9e9819bb921acd9aae04fd0fd7ad96af5d0939ca

    • SSDEEP

      3072:QBiC4pWGb9WxFOAAQBz65/M6If+3Js+3JFkKeTno:QB4PbexBt25

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks