General
-
Target
XClient.exe
-
Size
160KB
-
Sample
240527-jt68ssea77
-
MD5
55edb485698eeeae4df7a336b556c0be
-
SHA1
ed16f61cbc3cdf771ffd488dad4313950b818366
-
SHA256
144eec27ff920413dd4622b9e06558474354ba82881bcb38006665a31c7136c5
-
SHA512
8503660fabbf7f5ac88932365324968bb85e44dbf1ec2deb58c01676cae636c5a327bf714d39ef571d24c70d9e9819bb921acd9aae04fd0fd7ad96af5d0939ca
-
SSDEEP
3072:QBiC4pWGb9WxFOAAQBz65/M6If+3Js+3JFkKeTno:QB4PbexBt25
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
127.0.0.1:64258
147.185.221.17:64258
17.ip.gl.ply.gg:64258
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Targets
-
-
Target
XClient.exe
-
Size
160KB
-
MD5
55edb485698eeeae4df7a336b556c0be
-
SHA1
ed16f61cbc3cdf771ffd488dad4313950b818366
-
SHA256
144eec27ff920413dd4622b9e06558474354ba82881bcb38006665a31c7136c5
-
SHA512
8503660fabbf7f5ac88932365324968bb85e44dbf1ec2deb58c01676cae636c5a327bf714d39ef571d24c70d9e9819bb921acd9aae04fd0fd7ad96af5d0939ca
-
SSDEEP
3072:QBiC4pWGb9WxFOAAQBz65/M6If+3Js+3JFkKeTno:QB4PbexBt25
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-