General
-
Target
XClient.exe
-
Size
239KB
-
Sample
240527-s92spaae45
-
MD5
02f76419f80b44d1b8b1b98992f1c198
-
SHA1
54dd1585153a6ac5d88626a08154e87f2db25a46
-
SHA256
aead2b72fe8b76ed08c3282ff0d66623bc3f8de7547fd6b2f14a04f12cefb356
-
SHA512
9a9fbb453a9f635e2286ed88f591ff28aadd7887163166c0c9869d2069b6149ae48d7f5d6d6d8672e7a7160d1d405ba9a643380bbc836da787bc04331b9375cc
-
SSDEEP
6144:DPhr13VjbJxUBzU8cUhcX7elbKTua9bfF/H9d9n:Dpr85U8c3X3u+
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
pastebin_url
https://pastebin.com/raw/aCfh8JFM
Targets
-
-
Target
XClient.exe
-
Size
239KB
-
MD5
02f76419f80b44d1b8b1b98992f1c198
-
SHA1
54dd1585153a6ac5d88626a08154e87f2db25a46
-
SHA256
aead2b72fe8b76ed08c3282ff0d66623bc3f8de7547fd6b2f14a04f12cefb356
-
SHA512
9a9fbb453a9f635e2286ed88f591ff28aadd7887163166c0c9869d2069b6149ae48d7f5d6d6d8672e7a7160d1d405ba9a643380bbc836da787bc04331b9375cc
-
SSDEEP
6144:DPhr13VjbJxUBzU8cUhcX7elbKTua9bfF/H9d9n:Dpr85U8c3X3u+
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-