General

  • Target

    XClient.exe

  • Size

    70KB

  • Sample

    240615-px5f9svdjm

  • MD5

    1a5230c0da41410c19ab474a26b6d40a

  • SHA1

    a0f6f7afbc1bbc7148ddd13e22fe12ee22cafe8b

  • SHA256

    2bdd13def71430003c88d92bbbc98b4336b408330d26505517375047d958ead2

  • SHA512

    fab2e0a0f294e3fca72e04dc1ff9bf9846c9a0876b9445d681cf8b542c9a572491dde8b4aa4a02dd81ff5551c0fb366806854f40fcf61225a457a437e598515b

  • SSDEEP

    1536:pU+8E9EwL/GDSO7y47VTaYAKTUTdb8zPwnyKdN6O7OrClWd5KQ:pLrM7zXAKYRb8Ef7OrCgd5KQ

Malware Config

Extracted

Family

xworm

C2

restaurant-equation.gl.at.ply.gg:23887

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      XClient.exe

    • Size

      70KB

    • MD5

      1a5230c0da41410c19ab474a26b6d40a

    • SHA1

      a0f6f7afbc1bbc7148ddd13e22fe12ee22cafe8b

    • SHA256

      2bdd13def71430003c88d92bbbc98b4336b408330d26505517375047d958ead2

    • SHA512

      fab2e0a0f294e3fca72e04dc1ff9bf9846c9a0876b9445d681cf8b542c9a572491dde8b4aa4a02dd81ff5551c0fb366806854f40fcf61225a457a437e598515b

    • SSDEEP

      1536:pU+8E9EwL/GDSO7y47VTaYAKTUTdb8zPwnyKdN6O7OrClWd5KQ:pLrM7zXAKYRb8Ef7OrCgd5KQ

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks