General

  • Target

    Xclient.exe

  • Size

    75KB

  • Sample

    240530-l3cfwsef96

  • MD5

    1b2494b9d392e5d422e8d88227b0f607

  • SHA1

    2e2c0324a923204c51eeab617c80d58052c8ad27

  • SHA256

    b17d0f04bb4bd7169e772c44f91a0df30fb5549c738b098336a88ab81c57ae34

  • SHA512

    f2b6e7c0b8483f3aec2f2d80927a4516e598c9581bdd07e16490631f477afc56afb5c285a3ca37a22c48d15b481a4980ec74171ae03d2ceb2960a8c91dd33880

  • SSDEEP

    1536:zJN1n0htgMZ8kAAmE7mh+tubGW6ct6kciOOCCSGGQ:zVs/89AL7mZbG1c/ciOdMGQ

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:1048

tcp://2.tcp.eu.ngrok.io:1048

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      Xclient.exe

    • Size

      75KB

    • MD5

      1b2494b9d392e5d422e8d88227b0f607

    • SHA1

      2e2c0324a923204c51eeab617c80d58052c8ad27

    • SHA256

      b17d0f04bb4bd7169e772c44f91a0df30fb5549c738b098336a88ab81c57ae34

    • SHA512

      f2b6e7c0b8483f3aec2f2d80927a4516e598c9581bdd07e16490631f477afc56afb5c285a3ca37a22c48d15b481a4980ec74171ae03d2ceb2960a8c91dd33880

    • SSDEEP

      1536:zJN1n0htgMZ8kAAmE7mh+tubGW6ct6kciOOCCSGGQ:zVs/89AL7mZbG1c/ciOdMGQ

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks