General

  • Target

    XCli222ent.exe

  • Size

    314KB

  • Sample

    241030-1yxctssbpe

  • MD5

    c86ec7b95c6bf88c94259b791b766f77

  • SHA1

    fe8ae19dbec24245530ab97c54808e940124e813

  • SHA256

    31dc2e0e3f92960527f4a953773df389161d9d2aab54cdb85477fb4577b5ad0b

  • SHA512

    403f56e9ef92e361cd5fe27f1e5332e2cad7c5706399ac03b2bad657f0e4fe48189109859bc7154227fe75715487037dbe9e375a50556efb72beb0ea4ebd5dcf

  • SSDEEP

    3072:Y4JiymkbRdOOZf2l4mJe7UmuLchHPHo4bqRH33qGCNxxO5:Y4JlbIl4miUdLchvo4OlnqR

Malware Config

Extracted

Family

xworm

C2

23.ip.gl.ply.gg:8080

127.0.0.1:8080

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Targets

    • Target

      XCli222ent.exe

    • Size

      314KB

    • MD5

      c86ec7b95c6bf88c94259b791b766f77

    • SHA1

      fe8ae19dbec24245530ab97c54808e940124e813

    • SHA256

      31dc2e0e3f92960527f4a953773df389161d9d2aab54cdb85477fb4577b5ad0b

    • SHA512

      403f56e9ef92e361cd5fe27f1e5332e2cad7c5706399ac03b2bad657f0e4fe48189109859bc7154227fe75715487037dbe9e375a50556efb72beb0ea4ebd5dcf

    • SSDEEP

      3072:Y4JiymkbRdOOZf2l4mJe7UmuLchHPHo4bqRH33qGCNxxO5:Y4JlbIl4miUdLchvo4OlnqR

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks