General
-
Target
XClient.exe
-
Size
318KB
-
Sample
240531-1bymdaeh28
-
MD5
b0399cb072a3ade84995fc6ffbe88a83
-
SHA1
c0c97373470a7a9efdfda335495c472f2e10a52f
-
SHA256
7a76e982ca8dc06bc2b82504683af9fb09a890c3b3df178ddb75833c23268c84
-
SHA512
f229eecf29e6e87f75f768e6c86f1f71da6bbaba4a8958d0513094baf09d5808e026a67a01b7fe4ca156e733ef90b2a88a15d8fa561260027e891b09054e0afd
-
SSDEEP
1536:QoAfv3rPrmo2jTP/S0gNt9FbTjUyTLutrO5o5SrwsFGfFuAYCRAutPsAzAUCBQ:3An3Lr4cFbT1LWrO5oOg
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
xworm
rat234678235481254.ddns.net:4782
<Xwormmm>:3412
-
Install_directory
%AppData%
-
install_file
Runtime Broker.exe
Targets
-
-
Target
XClient.exe
-
Size
318KB
-
MD5
b0399cb072a3ade84995fc6ffbe88a83
-
SHA1
c0c97373470a7a9efdfda335495c472f2e10a52f
-
SHA256
7a76e982ca8dc06bc2b82504683af9fb09a890c3b3df178ddb75833c23268c84
-
SHA512
f229eecf29e6e87f75f768e6c86f1f71da6bbaba4a8958d0513094baf09d5808e026a67a01b7fe4ca156e733ef90b2a88a15d8fa561260027e891b09054e0afd
-
SSDEEP
1536:QoAfv3rPrmo2jTP/S0gNt9FbTjUyTLutrO5o5SrwsFGfFuAYCRAutPsAzAUCBQ:3An3Lr4cFbT1LWrO5oOg
Score10/10-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-