General
-
Target
XClient.exe
-
Size
320KB
-
Sample
241030-1v24xatkbp
-
MD5
4ba3f0d8aceb5c34629e3c69615b7f07
-
SHA1
07d8f846356546332309723b227169a28bf9cbdb
-
SHA256
f1b7a871a9af061c529e0207ffe922800504676f1f835fa616427573605e52f9
-
SHA512
f78079c6a2b3fdaee5e56dee4c751d7d0b5a6d3c4b26bdae40bea965c74703651dc0e844f7b08f956c4cc2fc6f7724700d31817e36941e2b7822b8097afa076b
-
SSDEEP
3072:qr0LGZkbzqwMaYOdine5Jv2l4mJe7UmuLchHPHo4bqRH33qGCNxxO7:qr0XbuwMFe5Ul4miUdLchvo4OlnqR
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
xworm
23.ip.gl.ply.gg:8080
147.185.221.23:8080
-
Install_directory
%AppData%
-
install_file
svchost.exe
Targets
-
-
Target
XClient.exe
-
Size
320KB
-
MD5
4ba3f0d8aceb5c34629e3c69615b7f07
-
SHA1
07d8f846356546332309723b227169a28bf9cbdb
-
SHA256
f1b7a871a9af061c529e0207ffe922800504676f1f835fa616427573605e52f9
-
SHA512
f78079c6a2b3fdaee5e56dee4c751d7d0b5a6d3c4b26bdae40bea965c74703651dc0e844f7b08f956c4cc2fc6f7724700d31817e36941e2b7822b8097afa076b
-
SSDEEP
3072:qr0LGZkbzqwMaYOdine5Jv2l4mJe7UmuLchHPHo4bqRH33qGCNxxO7:qr0XbuwMFe5Ul4miUdLchvo4OlnqR
Score10/10-
Detect Xworm Payload
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-