General
-
Target
XClient.exe
-
Size
86KB
-
Sample
240531-vsww8afa5x
-
MD5
31f076b5465fa19caf19a6cd93e3734d
-
SHA1
cd0493acab2f0d5abde601e45ad84cc95728e753
-
SHA256
9860d27517cd71ab83705b94ba797d3bdc7f96298f0cf620688548171c97b460
-
SHA512
b92619eed7848602b680614085d5f39de519aeb5ca0d810bfe2aeaf6e27ee28d44cd81ff09ec68d87ec7db670fbd0c9987201ddd14ea8d8a23efc18a0dca8f97
-
SSDEEP
1536:IgQLXbcFJE/+mr/bWrNvSBctYn4SC6K5qTpOYe0IkSU:IgIvjr/bW8B8ROOz3U
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
192.168.140.129:7000
-
Install_directory
%AppData%
-
install_file
Updater.exe
Targets
-
-
Target
XClient.exe
-
Size
86KB
-
MD5
31f076b5465fa19caf19a6cd93e3734d
-
SHA1
cd0493acab2f0d5abde601e45ad84cc95728e753
-
SHA256
9860d27517cd71ab83705b94ba797d3bdc7f96298f0cf620688548171c97b460
-
SHA512
b92619eed7848602b680614085d5f39de519aeb5ca0d810bfe2aeaf6e27ee28d44cd81ff09ec68d87ec7db670fbd0c9987201ddd14ea8d8a23efc18a0dca8f97
-
SSDEEP
1536:IgQLXbcFJE/+mr/bWrNvSBctYn4SC6K5qTpOYe0IkSU:IgIvjr/bW8B8ROOz3U
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-