General

  • Target

    XClient.exe

  • Size

    71KB

  • Sample

    240622-etyjfaxejg

  • MD5

    03a42da6c3fb239641d0f15bdc846dae

  • SHA1

    e0d93f99aec814d3fe059779233a6e0cf00405c7

  • SHA256

    47de3cd6c8f2bddef603a2de2c06ebf06faeaa83460270b6fe9bff96261140b0

  • SHA512

    7c883a156d24d33b206dac46c192d1b1457ef847af7ddf7ba3666fb31b14fe3cf8505fe9291f27e3f17203281dd62760af5203917446729ebc2daf04a43c6d8a

  • SSDEEP

    768:viSefu1PDqdyEjGukeLajvDjgZSlxE3nIQO/EY4HQNbyTliTEJty6rGVO/RohNdh:aCsR+aarieaO7b0lxJY6yOZogqKCN

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:12550

192.168.0.13:12550

192.168.0.1:12550

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      XClient.exe

    • Size

      71KB

    • MD5

      03a42da6c3fb239641d0f15bdc846dae

    • SHA1

      e0d93f99aec814d3fe059779233a6e0cf00405c7

    • SHA256

      47de3cd6c8f2bddef603a2de2c06ebf06faeaa83460270b6fe9bff96261140b0

    • SHA512

      7c883a156d24d33b206dac46c192d1b1457ef847af7ddf7ba3666fb31b14fe3cf8505fe9291f27e3f17203281dd62760af5203917446729ebc2daf04a43c6d8a

    • SSDEEP

      768:viSefu1PDqdyEjGukeLajvDjgZSlxE3nIQO/EY4HQNbyTliTEJty6rGVO/RohNdh:aCsR+aarieaO7b0lxJY6yOZogqKCN

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks