Overview

overview

10

Static

static

1

XClient.bat

windows7-x64

6

XClient.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClient.bat

  • Size

    146KB

  • Sample

    241015-cykr2azcnd

  • MD5

    c25139a288ac9288c141258006a3b30b

  • SHA1

    ba64fb572fb89cd3a8d93c7cce012c5042970157

  • SHA256

    2f425120671f4acb946275ebc731bf7b34a5c85f3d235ce9aa7f7b44994d09e4

  • SHA512

    40b6011d8663f9c1c04ec0f60d11d7fb92785a064a5346bfd9ce1d669e12392557590435c9dd5d36b7be0846225117efc1bb19235b078ffa19ec8decf0fe61cd

  • SSDEEP

    1536:Uh7jbS9f7cL5YUkoKjxClNmwTZAp7zVxg:UhOR7cL5YUkoKjxCdTZAp7zVxg

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

customer-principle.gl.at.ply.gg:22759

Mutex

bOqwY0aI6b39j66G

Attributes
  • Install_directory

    %Public%

  • install_file

    XClient.exe

aes.plain

Targets

    • Target

      XClient.bat

    • Size

      146KB

    • MD5

      c25139a288ac9288c141258006a3b30b

    • SHA1

      ba64fb572fb89cd3a8d93c7cce012c5042970157

    • SHA256

      2f425120671f4acb946275ebc731bf7b34a5c85f3d235ce9aa7f7b44994d09e4

    • SHA512

      40b6011d8663f9c1c04ec0f60d11d7fb92785a064a5346bfd9ce1d669e12392557590435c9dd5d36b7be0846225117efc1bb19235b078ffa19ec8decf0fe61cd

    • SSDEEP

      1536:Uh7jbS9f7cL5YUkoKjxClNmwTZAp7zVxg:UhOR7cL5YUkoKjxCdTZAp7zVxg

    Score
    10/10
    executionxwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks