General

  • Target

    XClient.exe

  • Size

    204KB

  • Sample

    240621-qqmtba1gkh

  • MD5

    6b85dbaa89dc86e5fe995d3a7937d734

  • SHA1

    eb37a500af913450f80e7ceae2235270eacbe28e

  • SHA256

    e0df19cadc09d3d896b690101beb81b783ce2009486a70f692bc3c5c7e3b4cad

  • SHA512

    eacd8cc9204ad5875e9e61f5a9b50059f41f1cde10a6e6d9cc65fe51f4ef3280a03756a93917267aea976a70407f652069f695ce941031ed0c714790d976702f

  • SSDEEP

    3072:P6LhO00pFa93POMB8SKfbzxcwg7es6/Vsb8VKTup49oJMfF/H9N3Ky9NzLnK:P6L/0fa9XUhcX7elbKTuq9bfF/H9d9n

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

9wp50ttW2A9Yf6VS

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WinRAR.exe

  • pastebin_url

    https://pastebin.com/raw/0wurKpxr

aes.plain

Targets

    • Target

      XClient.exe

    • Size

      204KB

    • MD5

      6b85dbaa89dc86e5fe995d3a7937d734

    • SHA1

      eb37a500af913450f80e7ceae2235270eacbe28e

    • SHA256

      e0df19cadc09d3d896b690101beb81b783ce2009486a70f692bc3c5c7e3b4cad

    • SHA512

      eacd8cc9204ad5875e9e61f5a9b50059f41f1cde10a6e6d9cc65fe51f4ef3280a03756a93917267aea976a70407f652069f695ce941031ed0c714790d976702f

    • SSDEEP

      3072:P6LhO00pFa93POMB8SKfbzxcwg7es6/Vsb8VKTup49oJMfF/H9N3Ky9NzLnK:P6L/0fa9XUhcX7elbKTuq9bfF/H9d9n

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks