General
-
Target
XClient.bat
-
Size
306KB
-
Sample
240531-vtxvxafg92
-
MD5
5f114fbb47589f072b2329adeab0e2d7
-
SHA1
1572da87baa2fcd945be9ca5073cf2c27a5e4eda
-
SHA256
976bef5e2f4128e42bb344af988b88e188503c4f7df7452ee1a87947eea833a1
-
SHA512
4ffba8c4bc5771f90b64825880e033192bbafdf1952a29893d35821dbe675fc57b942ff22831848e3081da751804572f61b214cdc8b2a42523d069343f112b69
-
SSDEEP
6144:rCIqB5Xma5qnV7R+N8ymXO55y6wXYjuvgfazxjjNzMGryBNYqi/v:rJqnheT68ym6vfazxDyBiX
Static task
static1
Behavioral task
behavioral1
Sample
XClient.bat
Resource
win11-20240508-en
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:38173
-
Install_directory
%Userprofile%
-
install_file
Runtime Broker.exe
Targets
-
-
Target
XClient.bat
-
Size
306KB
-
MD5
5f114fbb47589f072b2329adeab0e2d7
-
SHA1
1572da87baa2fcd945be9ca5073cf2c27a5e4eda
-
SHA256
976bef5e2f4128e42bb344af988b88e188503c4f7df7452ee1a87947eea833a1
-
SHA512
4ffba8c4bc5771f90b64825880e033192bbafdf1952a29893d35821dbe675fc57b942ff22831848e3081da751804572f61b214cdc8b2a42523d069343f112b69
-
SSDEEP
6144:rCIqB5Xma5qnV7R+N8ymXO55y6wXYjuvgfazxjjNzMGryBNYqi/v:rJqnheT68ym6vfazxDyBiX
Score10/10-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-