General

  • Target

    XClient.exe

  • Size

    239KB

  • Sample

    240527-s92spaae45

  • MD5

    02f76419f80b44d1b8b1b98992f1c198

  • SHA1

    54dd1585153a6ac5d88626a08154e87f2db25a46

  • SHA256

    aead2b72fe8b76ed08c3282ff0d66623bc3f8de7547fd6b2f14a04f12cefb356

  • SHA512

    9a9fbb453a9f635e2286ed88f591ff28aadd7887163166c0c9869d2069b6149ae48d7f5d6d6d8672e7a7160d1d405ba9a643380bbc836da787bc04331b9375cc

  • SSDEEP

    6144:DPhr13VjbJxUBzU8cUhcX7elbKTua9bfF/H9d9n:Dpr85U8c3X3u+

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/aCfh8JFM

Targets

    • Target

      XClient.exe

    • Size

      239KB

    • MD5

      02f76419f80b44d1b8b1b98992f1c198

    • SHA1

      54dd1585153a6ac5d88626a08154e87f2db25a46

    • SHA256

      aead2b72fe8b76ed08c3282ff0d66623bc3f8de7547fd6b2f14a04f12cefb356

    • SHA512

      9a9fbb453a9f635e2286ed88f591ff28aadd7887163166c0c9869d2069b6149ae48d7f5d6d6d8672e7a7160d1d405ba9a643380bbc836da787bc04331b9375cc

    • SSDEEP

      6144:DPhr13VjbJxUBzU8cUhcX7elbKTua9bfF/H9d9n:Dpr85U8c3X3u+

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks