General

  • Target

    XClient.exe

  • Size

    77KB

  • Sample

    240527-skvcbahf34

  • MD5

    d48c93ab22571854620800bd29ee9e54

  • SHA1

    74463fc68f3643153abbcf10f555f459d1a3400b

  • SHA256

    fad7f858e34c269cddf27a915f2bd613697c9602dc639e6885f8e8379c61eb3c

  • SHA512

    822a0342114ffee47c57b2e746359763e2f211b0b26be46694bf7351be6993460abc939c43bd567ca14d462dc992d21310439703de29d092b82d50830bb43620

  • SSDEEP

    1536:22kpUOApqavqQSqssTq1ex64bQgjA99Ty+bDIh8bEtTT66Ga7EtOXQNEh7Bn60:F4UCZH51ex64bQgj29W+bDIWbEtdl7E4

Malware Config

Extracted

Family

xworm

C2

primary-region.gl.at.ply.gg:65203

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      XClient.exe

    • Size

      77KB

    • MD5

      d48c93ab22571854620800bd29ee9e54

    • SHA1

      74463fc68f3643153abbcf10f555f459d1a3400b

    • SHA256

      fad7f858e34c269cddf27a915f2bd613697c9602dc639e6885f8e8379c61eb3c

    • SHA512

      822a0342114ffee47c57b2e746359763e2f211b0b26be46694bf7351be6993460abc939c43bd567ca14d462dc992d21310439703de29d092b82d50830bb43620

    • SSDEEP

      1536:22kpUOApqavqQSqssTq1ex64bQgjA99Ty+bDIh8bEtTT66Ga7EtOXQNEh7Bn60:F4UCZH51ex64bQgj29W+bDIWbEtdl7E4

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks