General
-
Target
Xclient.exe
-
Size
56KB
-
Sample
240530-l3xrtseg26
-
MD5
fc834d35126855de6339102da1cbf1b8
-
SHA1
e2bee461ccca75a8ad164324d917a1f6ec63ef81
-
SHA256
910229c0f5c8f1ca57c12055824f9df22435f5031744850cd3d46d196aa5d41e
-
SHA512
b02183f72634fe7dd258596cf76725626127c5a8c9eed381b19a74dcfd6999a0953d003f92cf1c8a46da97f859ad0f514ad5a8c17f545e7c141e4353b348d2c8
-
SSDEEP
768:q1pJ7r7OHt5qQT5pRBYXnTDDERwbWlcbbH9R4b/URa9/GFu7Am6YvO7khrZ6IGy+:WfyHtsGgTFEb/A2/um6GO7kHPGx
Malware Config
Extracted
xworm
127.0.0.1:1048
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
Xclient.exe
-
Size
56KB
-
MD5
fc834d35126855de6339102da1cbf1b8
-
SHA1
e2bee461ccca75a8ad164324d917a1f6ec63ef81
-
SHA256
910229c0f5c8f1ca57c12055824f9df22435f5031744850cd3d46d196aa5d41e
-
SHA512
b02183f72634fe7dd258596cf76725626127c5a8c9eed381b19a74dcfd6999a0953d003f92cf1c8a46da97f859ad0f514ad5a8c17f545e7c141e4353b348d2c8
-
SSDEEP
768:q1pJ7r7OHt5qQT5pRBYXnTDDERwbWlcbbH9R4b/URa9/GFu7Am6YvO7khrZ6IGy+:WfyHtsGgTFEb/A2/um6GO7kHPGx
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-