General

  • Target

    XClient.rar

  • Size

    47KB

  • Sample

    240801-ze5peszgmc

  • MD5

    3e927f3cf005e86563edd2f8b9a010a7

  • SHA1

    d3298614438c234c90cf4d979ea166211dd32e6f

  • SHA256

    baa8ace81d5e51f20fea99bf6b8de26c594a2011b670883304e085e5a9847eb2

  • SHA512

    a12f9f63aeefd7b46a28bba0d9266ae57ea8e1a1a1dd24ed00125d3d31d6c8e93fc448c183d5bc7c49b617e577c611bfa38ee7527f2584bfe5d4273b3e056558

  • SSDEEP

    768:KJqOIafzF7rapluoLB4bkKxOxUR+ezEuauHG+YUqYm074Idsvv7L/jBhl+6NDNz8:XLaR7WbuoLQk1evrmIzm0EICvvRBbz8

Malware Config

Extracted

Family

xworm

C2

full-self.gl.at.ply.gg:45212

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      XClient.exe

    • Size

      80KB

    • MD5

      bfa950b37b6a4f8de71af861e677a8b4

    • SHA1

      2ee40bfbf2964d92c82256e5924169295dfdd225

    • SHA256

      07f94f8f6061ba95899914496edc5854aa810de56797d9004875276d60e21ade

    • SHA512

      235b514fac01b24edaef3aeb4209676789b6ba9264a8798cb7ae48c26d2455cdd8f254e92bbba688535acb69fd77b3c0a0a549cf97ece84c235cc74f72234e1a

    • SSDEEP

      1536:EI5NuEGJkEtydWqZQSp1eS+b59gxzhfxdl/5m6qeo//3Oy/4IK4Dax5:Eg1GhtktQGAS+b59cJ4eA/OlINDab

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks