Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClient.exe

  • Size

    67KB

  • Sample

    250118-x5gn6ssqap

  • MD5

    da221174277f0412d5751d1dd0884215

  • SHA1

    3627c05118667132b109f7b620fc6f33f435ac74

  • SHA256

    193ffb07ababa99cf6944129382e85b38218d950016937aceead1112ce4f7d96

  • SHA512

    172850dca35c00fec6b448a13594debfcd81bf5458054aa9dc0ca932ba1a2321c3d8b77d1037ee2d246cdb402be4a5725e7eee199de252efb1352c4f166f9129

  • SSDEEP

    1536:+XbYW+LOEL57yZbUZaltd5vI6839qOWquqq/0K:+XbH+LOI5eZbUZsNSwOeqRK

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Targets

    • Target

      XClient.exe

    • Size

      67KB

    • MD5

      da221174277f0412d5751d1dd0884215

    • SHA1

      3627c05118667132b109f7b620fc6f33f435ac74

    • SHA256

      193ffb07ababa99cf6944129382e85b38218d950016937aceead1112ce4f7d96

    • SHA512

      172850dca35c00fec6b448a13594debfcd81bf5458054aa9dc0ca932ba1a2321c3d8b77d1037ee2d246cdb402be4a5725e7eee199de252efb1352c4f166f9129

    • SSDEEP

      1536:+XbYW+LOEL57yZbUZaltd5vI6839qOWquqq/0K:+XbH+LOI5eZbUZsNSwOeqRK

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks