General

  • Target

    XClient.exe

  • Size

    46KB

  • Sample

    240531-2naazsha44

  • MD5

    997cf7620331199fcb7e3a2a90019514

  • SHA1

    9248c92463f26bf504c50d34aa8969e34c913167

  • SHA256

    070ca53cb9d8d21753aa9dcc25e76c941e3894665731c9ba16b114ace647bb4b

  • SHA512

    ba0822b1c72618311e1ce234861cdf4357a67fb95d240a1d7183d5ced524114a1a0968e89bcdff825a93f688e5f1d66932d68e169845c22e8f3b1836b4846339

  • SSDEEP

    768:g3Pt/pS7jfx0CLn7cef+UqVJ4WaJihGWbQHKA4B6CT5K9JchiqnE7NLrCc4VO:g3Fhqj50CLn7ceWJVHbQHKz6CA9O8t7V

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/Jt9Xgc6v

Targets

    • Target

      XClient.exe

    • Size

      46KB

    • MD5

      997cf7620331199fcb7e3a2a90019514

    • SHA1

      9248c92463f26bf504c50d34aa8969e34c913167

    • SHA256

      070ca53cb9d8d21753aa9dcc25e76c941e3894665731c9ba16b114ace647bb4b

    • SHA512

      ba0822b1c72618311e1ce234861cdf4357a67fb95d240a1d7183d5ced524114a1a0968e89bcdff825a93f688e5f1d66932d68e169845c22e8f3b1836b4846339

    • SSDEEP

      768:g3Pt/pS7jfx0CLn7cef+UqVJ4WaJihGWbQHKA4B6CT5K9JchiqnE7NLrCc4VO:g3Fhqj50CLn7ceWJVHbQHKz6CA9O8t7V

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks