General
-
Target
XClient.exe
-
Size
32KB
-
Sample
241118-tthwba1bnn
-
MD5
61dec39ff827ef9850ed12f932ab22ed
-
SHA1
0fbf2330c943bdc02078dde76e8abdfe2718f779
-
SHA256
630b2a1ee3471f27100a0937e137b8eb020bda08d8bb8f77dfa6075676443da8
-
SHA512
09b2792d136b0a46178d5519cc3516a0910294921cba3f349a8154adbc2d2eb1be3bec6106fba97574c8c128c86963185cafded90443e0df145530bdd363d9cd
-
SSDEEP
768:FXJVfQAQ/PWNDflzs0rGZFh9A+6O/ho/h+a:FZVfQAMKs0rmFh9A+6O/e8a
Malware Config
Extracted
xworm
3.1
45.139.196.188:30120
LGW1OffJggMqu1JK
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
XClient.exe
-
Size
32KB
-
MD5
61dec39ff827ef9850ed12f932ab22ed
-
SHA1
0fbf2330c943bdc02078dde76e8abdfe2718f779
-
SHA256
630b2a1ee3471f27100a0937e137b8eb020bda08d8bb8f77dfa6075676443da8
-
SHA512
09b2792d136b0a46178d5519cc3516a0910294921cba3f349a8154adbc2d2eb1be3bec6106fba97574c8c128c86963185cafded90443e0df145530bdd363d9cd
-
SSDEEP
768:FXJVfQAQ/PWNDflzs0rGZFh9A+6O/ho/h+a:FZVfQAMKs0rmFh9A+6O/e8a
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1