General
-
Target
XClient.exe
-
Size
46KB
-
Sample
240531-2naazsha44
-
MD5
997cf7620331199fcb7e3a2a90019514
-
SHA1
9248c92463f26bf504c50d34aa8969e34c913167
-
SHA256
070ca53cb9d8d21753aa9dcc25e76c941e3894665731c9ba16b114ace647bb4b
-
SHA512
ba0822b1c72618311e1ce234861cdf4357a67fb95d240a1d7183d5ced524114a1a0968e89bcdff825a93f688e5f1d66932d68e169845c22e8f3b1836b4846339
-
SSDEEP
768:g3Pt/pS7jfx0CLn7cef+UqVJ4WaJihGWbQHKA4B6CT5K9JchiqnE7NLrCc4VO:g3Fhqj50CLn7ceWJVHbQHKz6CA9O8t7V
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/Jt9Xgc6v
Targets
-
-
Target
XClient.exe
-
Size
46KB
-
MD5
997cf7620331199fcb7e3a2a90019514
-
SHA1
9248c92463f26bf504c50d34aa8969e34c913167
-
SHA256
070ca53cb9d8d21753aa9dcc25e76c941e3894665731c9ba16b114ace647bb4b
-
SHA512
ba0822b1c72618311e1ce234861cdf4357a67fb95d240a1d7183d5ced524114a1a0968e89bcdff825a93f688e5f1d66932d68e169845c22e8f3b1836b4846339
-
SSDEEP
768:g3Pt/pS7jfx0CLn7cef+UqVJ4WaJihGWbQHKA4B6CT5K9JchiqnE7NLrCc4VO:g3Fhqj50CLn7ceWJVHbQHKz6CA9O8t7V
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-