General
-
Target
XClient.exe
-
Size
42KB
-
Sample
240710-jpw72axepb
-
MD5
6da0e4f23e02c67b4f5f45e7369070a9
-
SHA1
b197cf861336bdde76f43d39c8bd2a1d5907d6da
-
SHA256
f0d5909dae19e6f2283ccd44ff55cfc5e493c7edba9086ff0f31e082c40828da
-
SHA512
25c2ddc7f5215e20cfe15288b9bec1036df81f3bf95f3df09393356b1ccbfef442fb4e6cb90d4008cdd7e3c42127babfdeb0e64f96c1b2965712aff36bea7c4c
-
SSDEEP
768:SIANdbPlCBC/gRFKoerXT+2n4KXAIZFEPh9/eOChKk2BYLfgJ:RAHxngb0rTTXFFw9/eOCPQ+6
Malware Config
Extracted
xworm
3.1
127.0.0.1:1
3S3MtWrqfnXGxzOF
-
Install_directory
%AppData%
-
install_file
file.exe
Targets
-
-
Target
XClient.exe
-
Size
42KB
-
MD5
6da0e4f23e02c67b4f5f45e7369070a9
-
SHA1
b197cf861336bdde76f43d39c8bd2a1d5907d6da
-
SHA256
f0d5909dae19e6f2283ccd44ff55cfc5e493c7edba9086ff0f31e082c40828da
-
SHA512
25c2ddc7f5215e20cfe15288b9bec1036df81f3bf95f3df09393356b1ccbfef442fb4e6cb90d4008cdd7e3c42127babfdeb0e64f96c1b2965712aff36bea7c4c
-
SSDEEP
768:SIANdbPlCBC/gRFKoerXT+2n4KXAIZFEPh9/eOChKk2BYLfgJ:RAHxngb0rTTXFFw9/eOCPQ+6
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1