Overview

overview

10

Static

static

1

XClient.bat

windows7-x64

1

XClient.bat

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    XClient.bat

  • Size

    273KB

  • Sample

    240727-hq2ngashmj

  • MD5

    dca82e50fdbefaf467663ee49541a5e8

  • SHA1

    52bcb41f5b2566312c53dcc95348fc681a1b56e1

  • SHA256

    1896c998055a7aa425a66bc860d7844102e9a303732df8f7eeb560d659e90c6f

  • SHA512

    4e4e0749db357e911a6b9d4d3a6419df9bf03a70ea405eeb16f539f48bf202c75a91fb06ae29818fb276d61df3efbd1a1e5c5a3e41145d734c2d0764d7c0e538

  • SSDEEP

    6144:DwT4eBwEaUe82AEsELrc/A5sj31o5Eh+rPTUeG8P0j5ZWCfc:DwTvCRtfs7AKjyEh+fUePP0Bc

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

thus-coffee.gl.at.ply.gg:6886

Mutex

OLM8W4YTLUQ9bDI1

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      XClient.bat

    • Size

      273KB

    • MD5

      dca82e50fdbefaf467663ee49541a5e8

    • SHA1

      52bcb41f5b2566312c53dcc95348fc681a1b56e1

    • SHA256

      1896c998055a7aa425a66bc860d7844102e9a303732df8f7eeb560d659e90c6f

    • SHA512

      4e4e0749db357e911a6b9d4d3a6419df9bf03a70ea405eeb16f539f48bf202c75a91fb06ae29818fb276d61df3efbd1a1e5c5a3e41145d734c2d0764d7c0e538

    • SSDEEP

      6144:DwT4eBwEaUe82AEsELrc/A5sj31o5Eh+rPTUeG8P0j5ZWCfc:DwTvCRtfs7AKjyEh+fUePP0Bc

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks