General

  • Target

    XClient.exe

  • Size

    86KB

  • Sample

    240531-vsww8afa5x

  • MD5

    31f076b5465fa19caf19a6cd93e3734d

  • SHA1

    cd0493acab2f0d5abde601e45ad84cc95728e753

  • SHA256

    9860d27517cd71ab83705b94ba797d3bdc7f96298f0cf620688548171c97b460

  • SHA512

    b92619eed7848602b680614085d5f39de519aeb5ca0d810bfe2aeaf6e27ee28d44cd81ff09ec68d87ec7db670fbd0c9987201ddd14ea8d8a23efc18a0dca8f97

  • SSDEEP

    1536:IgQLXbcFJE/+mr/bWrNvSBctYn4SC6K5qTpOYe0IkSU:IgIvjr/bW8B8ROOz3U

Malware Config

Extracted

Family

xworm

C2

192.168.140.129:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    Updater.exe

Targets

    • Target

      XClient.exe

    • Size

      86KB

    • MD5

      31f076b5465fa19caf19a6cd93e3734d

    • SHA1

      cd0493acab2f0d5abde601e45ad84cc95728e753

    • SHA256

      9860d27517cd71ab83705b94ba797d3bdc7f96298f0cf620688548171c97b460

    • SHA512

      b92619eed7848602b680614085d5f39de519aeb5ca0d810bfe2aeaf6e27ee28d44cd81ff09ec68d87ec7db670fbd0c9987201ddd14ea8d8a23efc18a0dca8f97

    • SSDEEP

      1536:IgQLXbcFJE/+mr/bWrNvSBctYn4SC6K5qTpOYe0IkSU:IgIvjr/bW8B8ROOz3U

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks