General
-
Target
XClient.exe
-
Size
167KB
-
Sample
241120-w4793a1lcw
-
MD5
a7df6dfed10d54c4a59828be8ce7bd71
-
SHA1
e5075061df638bf627e98c2ffb8dde99ce1d6ff7
-
SHA256
9239e706f06a5a88aec93df74a88b934fd403c18b9c63a0abd32c43cba11399f
-
SHA512
eb20afca81a58e769e8cebce8ed7548802e52abc90bc31d63a57e9ea9ddb4311ceb6e5f0418eb62e0d2e2e5de64f368dd4328d702c61c5bcc4b20f17da844dc2
-
SSDEEP
3072:zZn1arYF49IMOwgRUGKXs+S++7KFSbxeY+qDDrMK:NAri49LGqStKEbxI
Malware Config
Extracted
xworm
5.0
127.0.0.1:7000
tTl1Y5wGzkYBSyRY
-
Install_directory
%ProgramData%
-
install_file
gamesamse.exe
Targets
-
-
Target
XClient.exe
-
Size
167KB
-
MD5
a7df6dfed10d54c4a59828be8ce7bd71
-
SHA1
e5075061df638bf627e98c2ffb8dde99ce1d6ff7
-
SHA256
9239e706f06a5a88aec93df74a88b934fd403c18b9c63a0abd32c43cba11399f
-
SHA512
eb20afca81a58e769e8cebce8ed7548802e52abc90bc31d63a57e9ea9ddb4311ceb6e5f0418eb62e0d2e2e5de64f368dd4328d702c61c5bcc4b20f17da844dc2
-
SSDEEP
3072:zZn1arYF49IMOwgRUGKXs+S++7KFSbxeY+qDDrMK:NAri49LGqStKEbxI
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1