General

  • Target

    Xclient.exe

  • Size

    68KB

  • Sample

    240530-l4le7adg51

  • MD5

    88366bfc61e7a52684381e1ab6acf890

  • SHA1

    5e8b24f596be2bf665a25b0ec6aee45453286747

  • SHA256

    189cdfeb6a49677d97203c3a1783b13dccaab4628b750c29fb98a82471ae62b7

  • SHA512

    16c722c54a10bdbf3687a583689d924f687f7781efe15f243dace0d4ce0a5d7e5c2195d05e778b758af5313b77d73f0cba223de837bd379865bf9013dc2e2096

  • SSDEEP

    1536:ULW8nGReAkqzCuvAX+kdxIYI+Rb2h0Zcaw6IyOAz5d:eADurxIZMb2QhOAz5d

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:1048

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      Xclient.exe

    • Size

      68KB

    • MD5

      88366bfc61e7a52684381e1ab6acf890

    • SHA1

      5e8b24f596be2bf665a25b0ec6aee45453286747

    • SHA256

      189cdfeb6a49677d97203c3a1783b13dccaab4628b750c29fb98a82471ae62b7

    • SHA512

      16c722c54a10bdbf3687a583689d924f687f7781efe15f243dace0d4ce0a5d7e5c2195d05e778b758af5313b77d73f0cba223de837bd379865bf9013dc2e2096

    • SSDEEP

      1536:ULW8nGReAkqzCuvAX+kdxIYI+Rb2h0Zcaw6IyOAz5d:eADurxIZMb2QhOAz5d

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks