General

  • Target

    XClient.exe

  • Size

    320KB

  • Sample

    241030-1v24xatkbp

  • MD5

    4ba3f0d8aceb5c34629e3c69615b7f07

  • SHA1

    07d8f846356546332309723b227169a28bf9cbdb

  • SHA256

    f1b7a871a9af061c529e0207ffe922800504676f1f835fa616427573605e52f9

  • SHA512

    f78079c6a2b3fdaee5e56dee4c751d7d0b5a6d3c4b26bdae40bea965c74703651dc0e844f7b08f956c4cc2fc6f7724700d31817e36941e2b7822b8097afa076b

  • SSDEEP

    3072:qr0LGZkbzqwMaYOdine5Jv2l4mJe7UmuLchHPHo4bqRH33qGCNxxO7:qr0XbuwMFe5Ul4miUdLchvo4OlnqR

Malware Config

Extracted

Family

xworm

C2

23.ip.gl.ply.gg:8080

147.185.221.23:8080

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Targets

    • Target

      XClient.exe

    • Size

      320KB

    • MD5

      4ba3f0d8aceb5c34629e3c69615b7f07

    • SHA1

      07d8f846356546332309723b227169a28bf9cbdb

    • SHA256

      f1b7a871a9af061c529e0207ffe922800504676f1f835fa616427573605e52f9

    • SHA512

      f78079c6a2b3fdaee5e56dee4c751d7d0b5a6d3c4b26bdae40bea965c74703651dc0e844f7b08f956c4cc2fc6f7724700d31817e36941e2b7822b8097afa076b

    • SSDEEP

      3072:qr0LGZkbzqwMaYOdine5Jv2l4mJe7UmuLchHPHo4bqRH33qGCNxxO7:qr0XbuwMFe5Ul4miUdLchvo4OlnqR

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks