Overview

overview

10

Static

static

10

XClient.exe

windows10-1703-x64

10

XClient.exe

windows10-2004-x64

10

XClient.exe

windows11-21h2-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    XClient.exe

  • Size

    69KB

  • Sample

    240602-pynj5sde88

  • MD5

    4f035ef4de3102e56d73a1e5bc0133ce

  • SHA1

    f9a6464bec36e6171ca140fb0b9ba97a9dab6afe

  • SHA256

    5eff5c5de41bfde202b7f8c545330b42a3b6b3b51df8abd66c06823a0404d9e6

  • SHA512

    e3235deaf69c9b806b0df6d17cdd6987ceb25e96ee51358173e8c836eff06ab8637eab07b49b3b323c5d6b97b8a194d176f5dff3a131cebe74176b39e5fd1dec

  • SSDEEP

    1536:R1TbxvCM8IIEQlpGzFt6LnXvb32CxMyLMUv12tOsVyCMnV:jTlB8IxcpGJt6zfb3221v12tOsVyjV

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

193.161.193.99 :44548

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

Targets

    • Target

      XClient.exe

    • Size

      69KB

    • MD5

      4f035ef4de3102e56d73a1e5bc0133ce

    • SHA1

      f9a6464bec36e6171ca140fb0b9ba97a9dab6afe

    • SHA256

      5eff5c5de41bfde202b7f8c545330b42a3b6b3b51df8abd66c06823a0404d9e6

    • SHA512

      e3235deaf69c9b806b0df6d17cdd6987ceb25e96ee51358173e8c836eff06ab8637eab07b49b3b323c5d6b97b8a194d176f5dff3a131cebe74176b39e5fd1dec

    • SSDEEP

      1536:R1TbxvCM8IIEQlpGzFt6LnXvb32CxMyLMUv12tOsVyCMnV:jTlB8IxcpGJt6zfb3221v12tOsVyjV

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Tasks