General

  • Target

    XClient.exe

  • Size

    318KB

  • Sample

    240531-1bymdaeh28

  • MD5

    b0399cb072a3ade84995fc6ffbe88a83

  • SHA1

    c0c97373470a7a9efdfda335495c472f2e10a52f

  • SHA256

    7a76e982ca8dc06bc2b82504683af9fb09a890c3b3df178ddb75833c23268c84

  • SHA512

    f229eecf29e6e87f75f768e6c86f1f71da6bbaba4a8958d0513094baf09d5808e026a67a01b7fe4ca156e733ef90b2a88a15d8fa561260027e891b09054e0afd

  • SSDEEP

    1536:QoAfv3rPrmo2jTP/S0gNt9FbTjUyTLutrO5o5SrwsFGfFuAYCRAutPsAzAUCBQ:3An3Lr4cFbT1LWrO5oOg

Malware Config

Extracted

Family

xworm

C2

rat234678235481254.ddns.net:4782

<Xwormmm>:3412

Attributes
  • Install_directory

    %AppData%

  • install_file

    Runtime Broker.exe

Targets

    • Target

      XClient.exe

    • Size

      318KB

    • MD5

      b0399cb072a3ade84995fc6ffbe88a83

    • SHA1

      c0c97373470a7a9efdfda335495c472f2e10a52f

    • SHA256

      7a76e982ca8dc06bc2b82504683af9fb09a890c3b3df178ddb75833c23268c84

    • SHA512

      f229eecf29e6e87f75f768e6c86f1f71da6bbaba4a8958d0513094baf09d5808e026a67a01b7fe4ca156e733ef90b2a88a15d8fa561260027e891b09054e0afd

    • SSDEEP

      1536:QoAfv3rPrmo2jTP/S0gNt9FbTjUyTLutrO5o5SrwsFGfFuAYCRAutPsAzAUCBQ:3An3Lr4cFbT1LWrO5oOg

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks