General
-
Target
XClient.exe
-
Size
171KB
-
Sample
241029-z1m2haynds
-
MD5
7f23c161067287c79e84d7ed7ce9b933
-
SHA1
763b01e12d96d7674dded475d091029d227b97b2
-
SHA256
606163ba72f1c4618154ba5e237a0c83260aeda04924baeec7f2e281271f8999
-
SHA512
72286b2e048808ad5f758f4bda97202a3ec68b64681255254e35c19194a82a8a67a0b45a2fad14ae65f402ae089218a4e922ed391dd869e2a68a54f284d9505f
-
SSDEEP
3072:XYvwUxiws0O8J+bQn6rNYOWZvds4Bz65/M6If+3Js+3JFkKeTnv:XVUxTsnbxiNu4xBt25
Malware Config
Extracted
xworm
127.0.0.1:6522
-
Install_directory
%AppData%
-
install_file
GameStarterConnation.exe
Targets
-
-
Target
XClient.exe
-
Size
171KB
-
MD5
7f23c161067287c79e84d7ed7ce9b933
-
SHA1
763b01e12d96d7674dded475d091029d227b97b2
-
SHA256
606163ba72f1c4618154ba5e237a0c83260aeda04924baeec7f2e281271f8999
-
SHA512
72286b2e048808ad5f758f4bda97202a3ec68b64681255254e35c19194a82a8a67a0b45a2fad14ae65f402ae089218a4e922ed391dd869e2a68a54f284d9505f
-
SSDEEP
3072:XYvwUxiws0O8J+bQn6rNYOWZvds4Bz65/M6If+3Js+3JFkKeTnv:XVUxTsnbxiNu4xBt25
-
Detect Xworm Payload
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-