xworm | XClient[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

XClient.exe
Size

46KB
MD5

439720174fa75f2a4b58f85cd12a9830
SHA1

714bd5107a9167c95b8af68f5e5c4f09742b78af
SHA256

6a2e9a1032ebe3ceb156da9770aa9a3ede8350c1f9b7589a83634ff7cb041bf5
SHA512

bac23dda0ba24d1b9e71f957aed0a11519dad054937b4b98233fef41cbade72dc440c998bcee03becbd5d3f6b75ee2d029b03ae927ca3b16beab52b66dec12af
SSDEEP

768:q6iEtyal2/YxHnkLKTsnz6a/kbck9G6MZ6lhVOv0hh6YJTe:OEtyod+e4nkbck9KZ6/VOs5JK

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

library-attachments.gl.at.ply.gg:64877

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
XClient.exe

Files

XClient.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ