General

  • Target

    XClient.exe

  • Size

    171KB

  • Sample

    241029-z8aq5szepb

  • MD5

    7f23c161067287c79e84d7ed7ce9b933

  • SHA1

    763b01e12d96d7674dded475d091029d227b97b2

  • SHA256

    606163ba72f1c4618154ba5e237a0c83260aeda04924baeec7f2e281271f8999

  • SHA512

    72286b2e048808ad5f758f4bda97202a3ec68b64681255254e35c19194a82a8a67a0b45a2fad14ae65f402ae089218a4e922ed391dd869e2a68a54f284d9505f

  • SSDEEP

    3072:XYvwUxiws0O8J+bQn6rNYOWZvds4Bz65/M6If+3Js+3JFkKeTnv:XVUxTsnbxiNu4xBt25

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:6522

Attributes
  • Install_directory

    %AppData%

  • install_file

    GameStarterConnation.exe

Targets

    • Target

      XClient.exe

    • Size

      171KB

    • MD5

      7f23c161067287c79e84d7ed7ce9b933

    • SHA1

      763b01e12d96d7674dded475d091029d227b97b2

    • SHA256

      606163ba72f1c4618154ba5e237a0c83260aeda04924baeec7f2e281271f8999

    • SHA512

      72286b2e048808ad5f758f4bda97202a3ec68b64681255254e35c19194a82a8a67a0b45a2fad14ae65f402ae089218a4e922ed391dd869e2a68a54f284d9505f

    • SSDEEP

      3072:XYvwUxiws0O8J+bQn6rNYOWZvds4Bz65/M6If+3Js+3JFkKeTnv:XVUxTsnbxiNu4xBt25

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

MITRE ATT&CK Enterprise v15

Tasks