General

  • Target

    XClient.bat

  • Size

    306KB

  • Sample

    240531-vtxvxafg92

  • MD5

    5f114fbb47589f072b2329adeab0e2d7

  • SHA1

    1572da87baa2fcd945be9ca5073cf2c27a5e4eda

  • SHA256

    976bef5e2f4128e42bb344af988b88e188503c4f7df7452ee1a87947eea833a1

  • SHA512

    4ffba8c4bc5771f90b64825880e033192bbafdf1952a29893d35821dbe675fc57b942ff22831848e3081da751804572f61b214cdc8b2a42523d069343f112b69

  • SSDEEP

    6144:rCIqB5Xma5qnV7R+N8ymXO55y6wXYjuvgfazxjjNzMGryBNYqi/v:rJqnheT68ym6vfazxDyBiX

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:38173

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Runtime Broker.exe

Targets

    • Target

      XClient.bat

    • Size

      306KB

    • MD5

      5f114fbb47589f072b2329adeab0e2d7

    • SHA1

      1572da87baa2fcd945be9ca5073cf2c27a5e4eda

    • SHA256

      976bef5e2f4128e42bb344af988b88e188503c4f7df7452ee1a87947eea833a1

    • SHA512

      4ffba8c4bc5771f90b64825880e033192bbafdf1952a29893d35821dbe675fc57b942ff22831848e3081da751804572f61b214cdc8b2a42523d069343f112b69

    • SSDEEP

      6144:rCIqB5Xma5qnV7R+N8ymXO55y6wXYjuvgfazxjjNzMGryBNYqi/v:rJqnheT68ym6vfazxDyBiX

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks