General
-
Target
XClient (1).exe
-
Size
193KB
-
Sample
240615-x9jpbssepe
-
MD5
ab419b8842b6f71e691a6cb03526bd19
-
SHA1
a77a753b916eb28a9db405f4512a3c28358f1562
-
SHA256
5bedf797ee31c036c5fe24a2bbb51e9c916a5df1adeaf4f1e2612034b6e52ae8
-
SHA512
a6fde6130a0943c4b2398848c82f83bfdb1819f9c78e012d69fbfc120b5e243f3afca0ad5786f336a037f306029d4a37235d5c0b295e4378a0cf82df9ddc90fa
-
SSDEEP
1536:AJ+/a9gQFWjcj0NHHDTbb74qgDWeEsV3TD6H3EO3KNnE5RUvzIJDig7RKNgsaudq:AJW6uHH/bb7xYVTO3WE5RG8ZOewvNIF
Behavioral task
behavioral1
Sample
XClient (1).exe
Resource
win10-20240404-en
Malware Config
Extracted
xworm
restaurant-equation.gl.at.ply.gg:23887
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
XClient (1).exe
-
Size
193KB
-
MD5
ab419b8842b6f71e691a6cb03526bd19
-
SHA1
a77a753b916eb28a9db405f4512a3c28358f1562
-
SHA256
5bedf797ee31c036c5fe24a2bbb51e9c916a5df1adeaf4f1e2612034b6e52ae8
-
SHA512
a6fde6130a0943c4b2398848c82f83bfdb1819f9c78e012d69fbfc120b5e243f3afca0ad5786f336a037f306029d4a37235d5c0b295e4378a0cf82df9ddc90fa
-
SSDEEP
1536:AJ+/a9gQFWjcj0NHHDTbb74qgDWeEsV3TD6H3EO3KNnE5RUvzIJDig7RKNgsaudq:AJW6uHH/bb7xYVTO3WE5RG8ZOewvNIF
-
Detect Xworm Payload
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-