xworm | XClien[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

XClien.exe
Size

72KB
MD5

59a6d9ab68a1674b73007ede9d361d68
SHA1

20a2f158ae9aef540cce9cc25b76fb255e083571
SHA256

4e0859608b19737ff359f7fa3ee55a44c6f2eef13e0a48415be3507b974833dc
SHA512

0eadfa41cd1d3d9d60169f6fccf6586a1a564ef20bac4f5df2cc746171dfcdd990b44fcdffe3b9af9ec9222734b389de9175e0c631eae2c6e48fdc011f9008d4
SSDEEP

1536:ktbTvMjY/eaupLVNVkWWZSjb+4mk+b6gXZudZ4oY7k6oJiBO5BJySo:k6ZlpkXSuy+b69da7EoOPJu

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

192.168.31.70:7000

77.221.72.215:7000

Attributes

Install_directory
%ProgramData%
install_file
EpicGamesLauncher.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
XClien.exe

Files

XClien.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 70KB - Virtual size: 69KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ