General

  • Target

    Xclient.exe

  • Size

    56KB

  • Sample

    240530-l3xrtseg26

  • MD5

    fc834d35126855de6339102da1cbf1b8

  • SHA1

    e2bee461ccca75a8ad164324d917a1f6ec63ef81

  • SHA256

    910229c0f5c8f1ca57c12055824f9df22435f5031744850cd3d46d196aa5d41e

  • SHA512

    b02183f72634fe7dd258596cf76725626127c5a8c9eed381b19a74dcfd6999a0953d003f92cf1c8a46da97f859ad0f514ad5a8c17f545e7c141e4353b348d2c8

  • SSDEEP

    768:q1pJ7r7OHt5qQT5pRBYXnTDDERwbWlcbbH9R4b/URa9/GFu7Am6YvO7khrZ6IGy+:WfyHtsGgTFEb/A2/um6GO7kHPGx

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:1048

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      Xclient.exe

    • Size

      56KB

    • MD5

      fc834d35126855de6339102da1cbf1b8

    • SHA1

      e2bee461ccca75a8ad164324d917a1f6ec63ef81

    • SHA256

      910229c0f5c8f1ca57c12055824f9df22435f5031744850cd3d46d196aa5d41e

    • SHA512

      b02183f72634fe7dd258596cf76725626127c5a8c9eed381b19a74dcfd6999a0953d003f92cf1c8a46da97f859ad0f514ad5a8c17f545e7c141e4353b348d2c8

    • SSDEEP

      768:q1pJ7r7OHt5qQT5pRBYXnTDDERwbWlcbbH9R4b/URa9/GFu7Am6YvO7khrZ6IGy+:WfyHtsGgTFEb/A2/um6GO7kHPGx

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks