General
-
Target
Xclient.exe
-
Size
75KB
-
Sample
240530-l3cfwsef96
-
MD5
1b2494b9d392e5d422e8d88227b0f607
-
SHA1
2e2c0324a923204c51eeab617c80d58052c8ad27
-
SHA256
b17d0f04bb4bd7169e772c44f91a0df30fb5549c738b098336a88ab81c57ae34
-
SHA512
f2b6e7c0b8483f3aec2f2d80927a4516e598c9581bdd07e16490631f477afc56afb5c285a3ca37a22c48d15b481a4980ec74171ae03d2ceb2960a8c91dd33880
-
SSDEEP
1536:zJN1n0htgMZ8kAAmE7mh+tubGW6ct6kciOOCCSGGQ:zVs/89AL7mZbG1c/ciOdMGQ
Malware Config
Extracted
xworm
127.0.0.1:1048
tcp://2.tcp.eu.ngrok.io:1048
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
Xclient.exe
-
Size
75KB
-
MD5
1b2494b9d392e5d422e8d88227b0f607
-
SHA1
2e2c0324a923204c51eeab617c80d58052c8ad27
-
SHA256
b17d0f04bb4bd7169e772c44f91a0df30fb5549c738b098336a88ab81c57ae34
-
SHA512
f2b6e7c0b8483f3aec2f2d80927a4516e598c9581bdd07e16490631f477afc56afb5c285a3ca37a22c48d15b481a4980ec74171ae03d2ceb2960a8c91dd33880
-
SSDEEP
1536:zJN1n0htgMZ8kAAmE7mh+tubGW6ct6kciOOCCSGGQ:zVs/89AL7mZbG1c/ciOdMGQ
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-