xworm | XClient[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

XClient.exe
Size

48KB
MD5

4a916e74ed16c0518244311c2ba0f3a4
SHA1

f0f7cb2abb4f8bed2ca73bd7db10d2ec08177c9b
SHA256

cc202135840ccd7e3390a3356d29fa26d52d762542ed7fc340319d1b8b7973b1
SHA512

49f5ec6be19ac4b16517348c0b407b760d1b2086b3f9c72d6dd7463bc4ee78de18e2e2fd514ef2c8d89592f91d03d4e2dedf836ebe6f0ef5c733757728e81ea0
SSDEEP

1536:Ufb4J4h0VM2QqkLbt5yFv98b6vOAHWFT3d:Ufbd0VM2ULbCFv98aOACTt

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:6249

Mutex

wmnG6N6wrFlnIoo9

Attributes

Install_directory
%AppData%
install_file
Exit External.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
XClient.exe

Files

XClient.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 46KB - Virtual size: 45KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ