General
-
Target
XClient.exe
-
Size
39KB
-
Sample
241203-tz8c6atkat
-
MD5
40fd2932a64ccfd8ad76a8ce81d557d5
-
SHA1
3e8f86b139ffb80a5425140d5ea08e149fae1b08
-
SHA256
e19bbde43b68c0b2ab107adde791a74bdfd078fc6ac88df307e6a0cbee56b1da
-
SHA512
35ebaf198dcc9071f163d89d0913fe1c0840ce4b28c6b9b15ab5710abb60c061c09e788565a6921c04a9975a7dd187fcdc4d03b6fc51dd09f944573dd3287679
-
SSDEEP
768:ZBj78fx6MooHKBjJfDUbtRFH9OKi6BOMh6L05jX:b78p6MLqBjJfIbDFH93i6BOMskjX
Malware Config
Extracted
xworm
5.0
127.0.0.1:14333
previous-contests.gl.at.ply.gg:14333
GH9VJU0DztsBgWNu
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
XClient.exe
-
Size
39KB
-
MD5
40fd2932a64ccfd8ad76a8ce81d557d5
-
SHA1
3e8f86b139ffb80a5425140d5ea08e149fae1b08
-
SHA256
e19bbde43b68c0b2ab107adde791a74bdfd078fc6ac88df307e6a0cbee56b1da
-
SHA512
35ebaf198dcc9071f163d89d0913fe1c0840ce4b28c6b9b15ab5710abb60c061c09e788565a6921c04a9975a7dd187fcdc4d03b6fc51dd09f944573dd3287679
-
SSDEEP
768:ZBj78fx6MooHKBjJfDUbtRFH9OKi6BOMh6L05jX:b78p6MLqBjJfIbDFH93i6BOMskjX
-
Detect Xworm Payload
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-