xworm | XClient[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

XClient.exe
Size

35KB
MD5

45738a503cf885987f5b77b6ad2af4c2
SHA1

b10cacac6e2053181fc8a5a3122861bc642c38db
SHA256

66f47e9dab880e814be563ebc033be8bd67434b074fc8ad7a249ee0cbb2b538b
SHA512

40859bc192e3e89db4e6b1dc783b37f58c00a55221960fdecc13218495e3f3356baf1a72df9646f1d452642f257fa5b1e81a01105f60e3005b72a996777f49df
SSDEEP

768:dOrX+c360pSukg+4s/hxWFyz9FIOjh7kMC:doTXHu40mFC9FIOj3C

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

hLPM0bT7DnT0Uxlu

Attributes

Install_directory
%AppData%
install_file
Roblox.exe
pastebin_url
https://pastebin.com/raw/E6BhrVaz

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
XClient.exe

Files

XClient.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ