General
-
Target
Xclient.exe
-
Size
68KB
-
Sample
240530-l4le7adg51
-
MD5
88366bfc61e7a52684381e1ab6acf890
-
SHA1
5e8b24f596be2bf665a25b0ec6aee45453286747
-
SHA256
189cdfeb6a49677d97203c3a1783b13dccaab4628b750c29fb98a82471ae62b7
-
SHA512
16c722c54a10bdbf3687a583689d924f687f7781efe15f243dace0d4ce0a5d7e5c2195d05e778b758af5313b77d73f0cba223de837bd379865bf9013dc2e2096
-
SSDEEP
1536:ULW8nGReAkqzCuvAX+kdxIYI+Rb2h0Zcaw6IyOAz5d:eADurxIZMb2QhOAz5d
Malware Config
Extracted
xworm
127.0.0.1:1048
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
Xclient.exe
-
Size
68KB
-
MD5
88366bfc61e7a52684381e1ab6acf890
-
SHA1
5e8b24f596be2bf665a25b0ec6aee45453286747
-
SHA256
189cdfeb6a49677d97203c3a1783b13dccaab4628b750c29fb98a82471ae62b7
-
SHA512
16c722c54a10bdbf3687a583689d924f687f7781efe15f243dace0d4ce0a5d7e5c2195d05e778b758af5313b77d73f0cba223de837bd379865bf9013dc2e2096
-
SSDEEP
1536:ULW8nGReAkqzCuvAX+kdxIYI+Rb2h0Zcaw6IyOAz5d:eADurxIZMb2QhOAz5d
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-