General

  • Target

    XClient.exe

  • Size

    37KB

  • Sample

    240622-lebvfssepf

  • MD5

    f6eb9a7bdc41185de0e6a5b09ec1eda6

  • SHA1

    a05e1964411a3006041f639f65e5a6a8015bc560

  • SHA256

    2e78b6c3e87117b35c33248f5d0c7ece9d33b2b5090861438b5d70caf9dc1bc9

  • SHA512

    b0cb80465d052fc00b634fe307870bdeced87444486f9ddb403185e3d8904667561338c610f98ae2cc85c532ed0c741e624802bf78cc7351eab47e9d056e5262

  • SSDEEP

    768:e5gTXwbLsAheofRhOUOe9tLFyc9PKIO/hYDy0T:e5gTgUAhHLOSF39PKIO/H0T

Malware Config

Extracted

Family

xworm

Version

5.0

C2

modern-educators.gl.at.ply.gg:23695

Mutex

p7UcGSBIQBinevq7

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      XClient.exe

    • Size

      37KB

    • MD5

      f6eb9a7bdc41185de0e6a5b09ec1eda6

    • SHA1

      a05e1964411a3006041f639f65e5a6a8015bc560

    • SHA256

      2e78b6c3e87117b35c33248f5d0c7ece9d33b2b5090861438b5d70caf9dc1bc9

    • SHA512

      b0cb80465d052fc00b634fe307870bdeced87444486f9ddb403185e3d8904667561338c610f98ae2cc85c532ed0c741e624802bf78cc7351eab47e9d056e5262

    • SSDEEP

      768:e5gTXwbLsAheofRhOUOe9tLFyc9PKIO/hYDy0T:e5gTgUAhHLOSF39PKIO/H0T

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks