Overview

overview

10

Static

static

10

XClient.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClient.exe

  • Size

    45KB

  • Sample

    240615-fl3c4azblb

  • MD5

    1ea7fa570588a032058606fb7e020a3b

  • SHA1

    e65850b6abc138b93a9810ae03d20ff3109a52cc

  • SHA256

    daafb00382eccadaf2f91f5cdf9495db9f3c7245aebe3905bb4637909c58a2e0

  • SHA512

    e952652c2385e39d670b68aa14be28a04687b1bf036af116be7310eb1af0e6a9bbc3990803f109d145e79c37d2f043d98b60f23b5affdd29555caae193fb5e95

  • SSDEEP

    768:YaQmwcZlyOArAloVIpfVrzPmFEPa9BbkR6cOFhVzwtE/:NwGl3VfliFd9x86cOFPX/

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

DSLw1tuN6TXiQSJh

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    rundll64.exe

  • pastebin_url

    https://pastebin.com/raw/EiiXCJbn

aes.plain

Targets

    • Target

      XClient.exe

    • Size

      45KB

    • MD5

      1ea7fa570588a032058606fb7e020a3b

    • SHA1

      e65850b6abc138b93a9810ae03d20ff3109a52cc

    • SHA256

      daafb00382eccadaf2f91f5cdf9495db9f3c7245aebe3905bb4637909c58a2e0

    • SHA512

      e952652c2385e39d670b68aa14be28a04687b1bf036af116be7310eb1af0e6a9bbc3990803f109d145e79c37d2f043d98b60f23b5affdd29555caae193fb5e95

    • SSDEEP

      768:YaQmwcZlyOArAloVIpfVrzPmFEPa9BbkR6cOFhVzwtE/:NwGl3VfliFd9x86cOFPX/

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks