Overview

overview

10

Static

static

10

XClient4.exe

windows7-x64

10

XClient4.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClient4.exe

  • Size

    39KB

  • Sample

    241122-dnb8ksyrhq

  • MD5

    b414b4fbe0b2345d1d81e58df98171bc

  • SHA1

    fb4f495bb1f3727d696ebe284df51e5338fdd131

  • SHA256

    58b4314ae0919aacee0a66e66713ae5f4c4bf94fba4ec8004ca000080be143e4

  • SHA512

    3de3e9b3b526d7688873a2cf14169f479c531e41f7ff1b0d07e0d5c6e7f49c09c81a5183f816f9b8add199c64e6f0ab8ef8615b91096910a361cc5be4453e091

  • SSDEEP

    768:w3MosUxgIsB5AcksKyJjL77FWPa9Xa+d9OwhLaG86:4MozTE5A72Fv9Xtd9OwVT86

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

tell-outcome.gl.at.ply.gg:7000
Mutex

yBZptJO9KOSBj0YC

Attributes
  • Install_directory

    %AppData%

  • install_file

    FileExplorer.exe

aes.plain

Targets

    • Target

      XClient4.exe

    • Size

      39KB

    • MD5

      b414b4fbe0b2345d1d81e58df98171bc

    • SHA1

      fb4f495bb1f3727d696ebe284df51e5338fdd131

    • SHA256

      58b4314ae0919aacee0a66e66713ae5f4c4bf94fba4ec8004ca000080be143e4

    • SHA512

      3de3e9b3b526d7688873a2cf14169f479c531e41f7ff1b0d07e0d5c6e7f49c09c81a5183f816f9b8add199c64e6f0ab8ef8615b91096910a361cc5be4453e091

    • SSDEEP

      768:w3MosUxgIsB5AcksKyJjL77FWPa9Xa+d9OwhLaG86:4MozTE5A72Fv9Xtd9OwVT86

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks