General

  • Target

    XClient.exe

  • Size

    99KB

  • Sample

    240528-ppntjsde6z

  • MD5

    03557348a17089f5eb64b6e1c74a30d0

  • SHA1

    f2b334fa78072eda2fc5e8f76ff1b96c500e0ff9

  • SHA256

    26f6a921b85d86b226a45e44de9305ba16f15c6de72c29155fbdc7da9b5e6393

  • SHA512

    23a9ee48bc34d713f39a8cbbc92e2ae65d1487d2533df58878af247fd99553d51965775ce496e2402bc7270bff0130795fb1fe3429da99e23570c0a668937094

  • SSDEEP

    1536:Zz/BN3cQ3Bujs49jFg0/IwXCvxWCGb1u673dxWcm6xkfXjeOUeaxKHsi9rYRT:Zz/L3e9mbQ3bo67evfCOUvwsCCT

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Client.exe

  • pastebin_url

    https://pastebin.com/vnh6mTRX

Targets

    • Target

      XClient.exe

    • Size

      99KB

    • MD5

      03557348a17089f5eb64b6e1c74a30d0

    • SHA1

      f2b334fa78072eda2fc5e8f76ff1b96c500e0ff9

    • SHA256

      26f6a921b85d86b226a45e44de9305ba16f15c6de72c29155fbdc7da9b5e6393

    • SHA512

      23a9ee48bc34d713f39a8cbbc92e2ae65d1487d2533df58878af247fd99553d51965775ce496e2402bc7270bff0130795fb1fe3429da99e23570c0a668937094

    • SSDEEP

      1536:Zz/BN3cQ3Bujs49jFg0/IwXCvxWCGb1u673dxWcm6xkfXjeOUeaxKHsi9rYRT:Zz/L3e9mbQ3bo67evfCOUvwsCCT

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks