xworm | XClient[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

XClient.exe
Size

84KB
MD5

bb5532aa03e8b766043599a68b6e301b
SHA1

aad9116c1ba18a581c136f37c68c66ab5079a64d
SHA256

fc0bef4b929cf8dd0aa29e5d6a11d70c3aa259c2c28fe9d185943749dc57e483
SHA512

8d971f82b64a77f320ae33ff69098a792899b241cc032705ce0e9a799a0f078bbb05f7a25453dde8d25fc1f2c4aeca4805b8016f6b95e61615261bf8f94ad2bf
SSDEEP

1536:c48KI38HwOGdrma60L45pbbE62tebpv639ZHVOK/iBkiJ:c4hHkrmX0L47bbE62t66HHVOK0ZJ

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:41896

20.ip.gl.ply.gg:41896

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
XClient.exe

Files

XClient.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 82KB - Virtual size: 81KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ