Overview

overview

10

Static

static

1

XClient.bat

windows10-2004-x64

10

XClient.bat

windows10-ltsc 2021-x64

10

XClient.bat

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClient.bat

  • Size

    66KB

  • Sample

    241118-z9mgbsvgne

  • MD5

    ded6a5751236497347ed27d22226ef8d

  • SHA1

    be89ce17f8dade3336202acc0b7ac78d3f9dbdca

  • SHA256

    713b3b9b9cd5a6c17626b7f31a8173f5b397db4ea0d986114524fd988803f4f2

  • SHA512

    8356eacb14d0cb5e552d383e6a5afe0873b1de2b9f002f743bd7d7aee50748011406964407e0ea0a3e04e03677410785cd385c72d88a10ced33d9315ba427ef4

  • SSDEEP

    1536:iZAamnjGVMuIfaG8PUTjSQ3qYZmdN+p6CjQU+n2S+9Kh:WAamjVuWLTjR6YZ2Ip6CjQUo2SMQ

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

name-hundred.gl.at.ply.gg:10055

Attributes
  • install_file

    Windows.exe

Targets

    • Target

      XClient.bat

    • Size

      66KB

    • MD5

      ded6a5751236497347ed27d22226ef8d

    • SHA1

      be89ce17f8dade3336202acc0b7ac78d3f9dbdca

    • SHA256

      713b3b9b9cd5a6c17626b7f31a8173f5b397db4ea0d986114524fd988803f4f2

    • SHA512

      8356eacb14d0cb5e552d383e6a5afe0873b1de2b9f002f743bd7d7aee50748011406964407e0ea0a3e04e03677410785cd385c72d88a10ced33d9315ba427ef4

    • SSDEEP

      1536:iZAamnjGVMuIfaG8PUTjSQ3qYZmdN+p6CjQU+n2S+9Kh:WAamjVuWLTjR6YZ2Ip6CjQUo2SMQ

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Tasks