xworm | XClient[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

XClient.exe
Size

66KB
MD5

1c8918f052ec329bc568b532057f617d
SHA1

b4891dde239f01399ef990736d2fa55b581b5365
SHA256

f63b1e8e8e6dfd62154c7751a33482d343e8ef2ad7c3058f9c9f393c0509e397
SHA512

596959328b05c8f22d241f7e5dfc43c528ad42462dc00335c2acd642485183e5d9166251841d7dcf67d92955863e300faa35fbeef88bbe9a2e16c5c44334b624
SSDEEP

1536:5pf9G6fvSRCQZfl49pZTkb6+6r9R07J67Dg5S9ukOYG:5XcCiifdkb6+8dDg5cukOYG

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

arts-below.gl.at.ply.gg:35980

Attributes

Install_directory
%LocalAppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
XClient.exe

Files

XClient.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 63KB - Virtual size: 63KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ