xworm | XClient[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

XClient.exe
Size

34KB
MD5

43cd317f5c3048ffb08ac75fade32296
SHA1

505518f0c461004b3e2a2d4d5b0d77846b91b73b
SHA256

c358ec37fce71ada1a1ae96b66563d14fb46d9627a72555a75807b44cb2417bf
SHA512

15a321e0632bbd286c25dac85bba6de126e528b104504aeb7904ffaea4088d06ab1b725a667c3272d1ebcaead2ac2e6984d2b5775ada3465e75a86b17f0345e1
SSDEEP

768:hIS81kJqdDXrDyC8b/VFye9FWOjh5yOErH:hIZNrD8bNFb9FWOjnaH

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

Version

5.0

C2

147.185.221.21:37029

Mutex

xtRGduHkjIPfA7nS

Attributes

Install_directory
%AppData%
install_file
SUCKNIC.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
XClient.exe

Files

XClient.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ