General
-
Target
XClient (1).zip
-
Size
40KB
-
Sample
240628-rkzflaterb
-
MD5
c124b1503bd3c0d9a44033501df264d3
-
SHA1
ff2f7e99e97ef598e0ab02d6847cda26749f2a34
-
SHA256
4284e1cef08f8eeb36b70e700d580f34294253d7e0692bdd687240bd534923bc
-
SHA512
406d366857a26e41f3b528c8a63f6a825aa2247c0741655bd46131733ae1b4a442688804c5ffe231a2f50c4e85a56caa20f8b227268c0e6bcf9e99bfe3bc20d9
-
SSDEEP
768:d40+jmP3ntHPr6c1gK51rELoMWiIjAh8rwAAXjtvsbUkmkz/v/VZJtvF7ILg0nBT:dCqP3tHT6TK51rlAXjtvsJ9RvlILguR/
Malware Config
Targets
-
-
Target
XClient.exe
-
Size
69KB
-
MD5
95ffbe3fbb27e900e3bf7012175efc24
-
SHA1
b386127111d1c82f20e4625b805aa8a01dae9192
-
SHA256
aeea4b2f2f8d924f36c902d96c0b77182984530acaedb33b3124665c4b2f769f
-
SHA512
409ede5eff17f9d239adae7df9a594072b828088e9a19d173f7064b89f678ee36a6b25db4ba0db6bb74521d7e88b12f737b8d80abd7854476df94aa89edacc95
-
SSDEEP
1536:ALSNQK0UvT9Mti+zoQ+bVEmuZAauL67LHXOoG1U2CEW1:AeN1/QX+bCY6HXOv4EG
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1