Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240220-en
General
-
Target
XClient.exe
-
Size
217KB
-
MD5
aafb349d724a1b6ee29e233ce3de9fe2
-
SHA1
6273688fc2a2f1216c4eab81232d03c65cd4745f
-
SHA256
3004ad4cc1142ca3483bba1a3e5c2244802c0d2df43ba3c066056e2ba8ef1046
-
SHA512
533af2f1093638fb181e43c9b12ff3e0fa4f599c824b1ec31181f86306cf7d626820a5cf7e70908cb21d77d91d7e6b7b09c696e056092fe3de0eb273f1d81618
-
SSDEEP
1536:ZZrLnQSYxHCNJ9SEX+b8oeEVy6D5O3A8wunl+g5zU730/jyY:ZFQxHCNPD+b8+7O3AJC+L3HY
Malware Config
Extracted
xworm
20.ip.gl.ply.gg:25725
<Xwormmm>:123
-
Install_directory
%Temp%
-
install_file
chiacago.exe
-
telegram
https://api.telegram.org/bot7378508941:AAFi7xPXoDjOY7Whre_FGKytWzP0LZ_WBF8/sendMessage?chat_id=6877286426
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule sample family_xworm -
Xworm family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource XClient.exe
Files
-
XClient.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 63KB - Virtual size: 62KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 153KB - Virtual size: 152KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ