Overview

overview

10

Static

static

1

XClient.bat

windows7-x64

8

XClient.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClient.bat

  • Size

    267KB

  • Sample

    241204-d6sy2svrcl

  • MD5

    f4420a832ed130530cbb75e346fb637b

  • SHA1

    f15be4046b4932f88fb202ab82cdc03de63a822f

  • SHA256

    a9b29a1f48922172ff22c84a932ba1a7d718614aa43ecb2efb51b11600bbb9bb

  • SHA512

    a32f75fb022ba2b48008571d46ea854f693b7a1514f6e1a388c26ef3c014d39192604a6c798a7ee92e7d1a538f4d26c17bec5e8d5989f3c87da4de276066526c

  • SSDEEP

    3072:CiJEEtDlM+evBkvJ1YvSmSxGcnaVPRhDclXttV5wTuBZf2mBmGAdSuHtUYhFUctv:CctDlM+ABk8SmS3gPjc1BuSBRzyXElJw

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:37695

excellent-waiver.gl.at.ply.gg:37695
Mutex

8Vpjd826AMaPZvGS

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      XClient.bat

    • Size

      267KB

    • MD5

      f4420a832ed130530cbb75e346fb637b

    • SHA1

      f15be4046b4932f88fb202ab82cdc03de63a822f

    • SHA256

      a9b29a1f48922172ff22c84a932ba1a7d718614aa43ecb2efb51b11600bbb9bb

    • SHA512

      a32f75fb022ba2b48008571d46ea854f693b7a1514f6e1a388c26ef3c014d39192604a6c798a7ee92e7d1a538f4d26c17bec5e8d5989f3c87da4de276066526c

    • SSDEEP

      3072:CiJEEtDlM+evBkvJ1YvSmSxGcnaVPRhDclXttV5wTuBZf2mBmGAdSuHtUYhFUctv:CctDlM+ABk8SmS3gPjc1BuSBRzyXElJw

    Score
    10/10
    executionxwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks