General
-
Target
XClient.exe
-
Size
99KB
-
Sample
240528-ppntjsde6z
-
MD5
03557348a17089f5eb64b6e1c74a30d0
-
SHA1
f2b334fa78072eda2fc5e8f76ff1b96c500e0ff9
-
SHA256
26f6a921b85d86b226a45e44de9305ba16f15c6de72c29155fbdc7da9b5e6393
-
SHA512
23a9ee48bc34d713f39a8cbbc92e2ae65d1487d2533df58878af247fd99553d51965775ce496e2402bc7270bff0130795fb1fe3429da99e23570c0a668937094
-
SSDEEP
1536:Zz/BN3cQ3Bujs49jFg0/IwXCvxWCGb1u673dxWcm6xkfXjeOUeaxKHsi9rYRT:Zz/L3e9mbQ3bo67evfCOUvwsCCT
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
-
Install_directory
%ProgramData%
-
install_file
Client.exe
-
pastebin_url
https://pastebin.com/vnh6mTRX
Targets
-
-
Target
XClient.exe
-
Size
99KB
-
MD5
03557348a17089f5eb64b6e1c74a30d0
-
SHA1
f2b334fa78072eda2fc5e8f76ff1b96c500e0ff9
-
SHA256
26f6a921b85d86b226a45e44de9305ba16f15c6de72c29155fbdc7da9b5e6393
-
SHA512
23a9ee48bc34d713f39a8cbbc92e2ae65d1487d2533df58878af247fd99553d51965775ce496e2402bc7270bff0130795fb1fe3429da99e23570c0a668937094
-
SSDEEP
1536:Zz/BN3cQ3Bujs49jFg0/IwXCvxWCGb1u673dxWcm6xkfXjeOUeaxKHsi9rYRT:Zz/L3e9mbQ3bo67evfCOUvwsCCT
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-