General
-
Target
XClient.exe
-
Size
204KB
-
Sample
240621-qqmtba1gkh
-
MD5
6b85dbaa89dc86e5fe995d3a7937d734
-
SHA1
eb37a500af913450f80e7ceae2235270eacbe28e
-
SHA256
e0df19cadc09d3d896b690101beb81b783ce2009486a70f692bc3c5c7e3b4cad
-
SHA512
eacd8cc9204ad5875e9e61f5a9b50059f41f1cde10a6e6d9cc65fe51f4ef3280a03756a93917267aea976a70407f652069f695ce941031ed0c714790d976702f
-
SSDEEP
3072:P6LhO00pFa93POMB8SKfbzxcwg7es6/Vsb8VKTup49oJMfF/H9N3Ky9NzLnK:P6L/0fa9XUhcX7elbKTuq9bfF/H9d9n
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
5.0
9wp50ttW2A9Yf6VS
-
Install_directory
%ProgramData%
-
install_file
WinRAR.exe
-
pastebin_url
https://pastebin.com/raw/0wurKpxr
Targets
-
-
Target
XClient.exe
-
Size
204KB
-
MD5
6b85dbaa89dc86e5fe995d3a7937d734
-
SHA1
eb37a500af913450f80e7ceae2235270eacbe28e
-
SHA256
e0df19cadc09d3d896b690101beb81b783ce2009486a70f692bc3c5c7e3b4cad
-
SHA512
eacd8cc9204ad5875e9e61f5a9b50059f41f1cde10a6e6d9cc65fe51f4ef3280a03756a93917267aea976a70407f652069f695ce941031ed0c714790d976702f
-
SSDEEP
3072:P6LhO00pFa93POMB8SKfbzxcwg7es6/Vsb8VKTup49oJMfF/H9N3Ky9NzLnK:P6L/0fa9XUhcX7elbKTuq9bfF/H9d9n
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-