General
-
Target
XClient2.exe
-
Size
72KB
-
Sample
240721-yhpxpstfnn
-
MD5
40663a80e6470891d3c983b7143f460f
-
SHA1
d41411214e04ea17eac12174abac3d746c01b59e
-
SHA256
41ac04f717912442f57958f140f4e7da4f09a2866b01d7f6bae75f94fa4c96e6
-
SHA512
069a3bd3f786ba22d3502ad4d4117f7abfe3e8ee6c4c35518b6398efdb8bcab00a0ba4d493d8d6670a4ba7185d727c631ee2349744ae127138801509a42f339d
-
SSDEEP
1536:JMIahO8dQiGSmttjQR8YRZZbMgA/omS8W5XZF6KdSyuDbkOBjnBn:7OdQnthQRPZbMgA/fIZZdSyusOBVn
Malware Config
Extracted
xworm
3.1
http://127.0.0.1:4040
-
Install_directory
%Temp%
-
install_file
USB.exe
Targets
-
-
Target
XClient2.exe
-
Size
72KB
-
MD5
40663a80e6470891d3c983b7143f460f
-
SHA1
d41411214e04ea17eac12174abac3d746c01b59e
-
SHA256
41ac04f717912442f57958f140f4e7da4f09a2866b01d7f6bae75f94fa4c96e6
-
SHA512
069a3bd3f786ba22d3502ad4d4117f7abfe3e8ee6c4c35518b6398efdb8bcab00a0ba4d493d8d6670a4ba7185d727c631ee2349744ae127138801509a42f339d
-
SSDEEP
1536:JMIahO8dQiGSmttjQR8YRZZbMgA/omS8W5XZF6KdSyuDbkOBjnBn:7OdQnthQRPZbMgA/fIZZdSyusOBVn
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1