General

  • Target

    XClient.exe

  • Size

    83KB

  • Sample

    241230-c9ys2awjal

  • MD5

    e0a98853cc1bbc3b4bcf3a7e8ee3cbec

  • SHA1

    b8c72cf0fdd61684634044a163f2abd3e4f1c945

  • SHA256

    3e9e1e67ecf3fe006127f22261b7c02ce8891bcfbc33ee928867def3dc0caaa0

  • SHA512

    ebde7f94a2bd112f4993c2d59e7dd7012970819436589898f8110506ca19741ba25549569fb4effb3265e472377ef60b7bfb268663612942af0d67a2b3377064

  • SSDEEP

    1536:8Ztji2WfVA/Lyh7jaNMYF3lfs9K3u+FbBKq1K98496BJVOGb3oAUmMJfYJnik:GL/mt6f3BbgqgEnO83oA5MJf2b

Malware Config

Extracted

Family

xworm

C2

homepage-kills.gl.at.ply.gg:50722

Attributes
  • Install_directory

    %Temp%

  • install_file

    GoogleUpdateService.exe

Targets

    • Target

      XClient.exe

    • Size

      83KB

    • MD5

      e0a98853cc1bbc3b4bcf3a7e8ee3cbec

    • SHA1

      b8c72cf0fdd61684634044a163f2abd3e4f1c945

    • SHA256

      3e9e1e67ecf3fe006127f22261b7c02ce8891bcfbc33ee928867def3dc0caaa0

    • SHA512

      ebde7f94a2bd112f4993c2d59e7dd7012970819436589898f8110506ca19741ba25549569fb4effb3265e472377ef60b7bfb268663612942af0d67a2b3377064

    • SSDEEP

      1536:8Ztji2WfVA/Lyh7jaNMYF3lfs9K3u+FbBKq1K98496BJVOGb3oAUmMJfYJnik:GL/mt6f3BbgqgEnO83oA5MJf2b

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks