xworm | XClient[.]exe | Triage

Sharing

General

Target

XClient.exe
Size

77KB
MD5

67e75e4d0ab6a97a6cf55c6d94d3a5b0
SHA1

af8d2625a2f432c6704ab968683ac8f426172fec
SHA256

dd5cf02ec1619051f3bfbfd1f2817d33fe563dc1f443b774b7b995825f16017b
SHA512

daf42da5e3d4579aa410d1cec01a083e5671d34e8eb7bacda2f4f5a2fa1c1669e1e5d48b3c36faa29de46c75a1e12e4a2fc0a3548fda5cd48cedcdf02eed440d
SSDEEP

1536:Agk8AIS90L1jDkzbN/UxAFhV6RC6ptKTQTOxKDgoOVumL7:zkh5C1jozblVwST+OxKEo8H

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

http://xwormdemon12-53870.portmap.io:56963

Attributes

Install_directory
%AppData%
install_file
BloxstrapModded.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
XClient.exe

Files

XClient.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 70KB - Virtual size: 70KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ