Overview

overview

10

Static

static

10

XClient.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClient.exe

  • Size

    44KB

  • Sample

    240615-fc7w8ayhnc

  • MD5

    6e9fa2861d7787e72a110992f2484f1c

  • SHA1

    6a893005fc8aa7a30cdad0cbd8d1267d3552241b

  • SHA256

    e1e8b20e65ab2bf8984257349caae81261ed4707d92c1246d233f99ac5c38f7c

  • SHA512

    48ceeb53234aeb4e511f3eacd2642b7735eb27403426fceabb81c3e484d5bcd584b715b36921a96efae95e5b5c3b1f88804be7d3313642873f6f9d494cca98eb

  • SSDEEP

    768:d2aZQnlm1k5nVAhEIkfVr9PDDmFEPa9Bfk6tOFhszwtwN:dKlRpflMFd9Nk6tOFmnN

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

bKfNZmtdOSnSkNdE

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    rundll64.exe

aes.plain

Targets

    • Target

      XClient.exe

    • Size

      44KB

    • MD5

      6e9fa2861d7787e72a110992f2484f1c

    • SHA1

      6a893005fc8aa7a30cdad0cbd8d1267d3552241b

    • SHA256

      e1e8b20e65ab2bf8984257349caae81261ed4707d92c1246d233f99ac5c38f7c

    • SHA512

      48ceeb53234aeb4e511f3eacd2642b7735eb27403426fceabb81c3e484d5bcd584b715b36921a96efae95e5b5c3b1f88804be7d3313642873f6f9d494cca98eb

    • SSDEEP

      768:d2aZQnlm1k5nVAhEIkfVr9PDDmFEPa9Bfk6tOFhszwtwN:dKlRpflMFd9Nk6tOFmnN

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks