xworm | XClient[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

XClient.exe
Size

71KB
MD5

88505095ec0a4eb3fd2d18fd533cda57
SHA1

29f7878ac1664870f7b9e4bbbff7300c7890878e
SHA256

bda3a33622ce1215377ed572d28b17fb07d89f00029dced94be6fad34cbd47fd
SHA512

c1f4b82773e986f9a96da684558756e8188637d6dd8cf2f4f23ec8d2d4ec994947c822b0992f9e473eb8194f6023957cc93915983fa9728bfb65a092cb1c1665
SSDEEP

1536:vLrjP6dLwZqiYa740MXvOzRKMV9WbqC67VN6HoOGFZdcV9Ge:vsLRiZ40Ov2WbqfbOGFvcnGe

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

product-unfortunately.gl.at.ply.gg:1219

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
XClient.exe

Files

XClient.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 68KB - Virtual size: 68KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ