General
-
Target
XClient5.exe
-
Size
147KB
-
Sample
241119-nvtfjszraq
-
MD5
3f784d40733d9bfde42fb6c02cde8faa
-
SHA1
9d3319543a83d010b10e3b1c543a8885ebe4e128
-
SHA256
c8d3f4a54afcdf15cd8338cd284d8216c442bb96e2ffc39f9c5914813cccb30b
-
SHA512
d04bd736cb3a0e0aeb3c77406694825295e2a5862e719222812110a3e994c1ec1c99b053c843281ebd89e4fe02f4bff727400158a53f6f2cf56fc4946cc7490e
-
SSDEEP
1536:9yKG4KJYgH6n2ffmZurpbS0qDThz6pOJOPOE86G3nhd+Pw/joT3/4/:9yKK+gafurpbJqDBOGE8b3nuPw7oLQ
Malware Config
Extracted
xworm
afiffebri123-60395.portmap.io:60395
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
telegram
https://api.telegram.org/bot7486317179:AAEtNWUGA1lxUf1Hicy6OwAGMFiLZF8KznM/sendMessage?chat_id=1253599693
Targets
-
-
Target
XClient5.exe
-
Size
147KB
-
MD5
3f784d40733d9bfde42fb6c02cde8faa
-
SHA1
9d3319543a83d010b10e3b1c543a8885ebe4e128
-
SHA256
c8d3f4a54afcdf15cd8338cd284d8216c442bb96e2ffc39f9c5914813cccb30b
-
SHA512
d04bd736cb3a0e0aeb3c77406694825295e2a5862e719222812110a3e994c1ec1c99b053c843281ebd89e4fe02f4bff727400158a53f6f2cf56fc4946cc7490e
-
SSDEEP
1536:9yKG4KJYgH6n2ffmZurpbS0qDThz6pOJOPOE86G3nhd+Pw/joT3/4/:9yKK+gafurpbJqDBOGE8b3nuPw7oLQ
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1