Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClient.exe

  • Size

    80KB

  • Sample

    250119-w2vaeszmbw

  • MD5

    2549b9c24b00e10d1d1b19ed18abea56

  • SHA1

    71135d2dccd4f4cdcefdd0cf2b59fe7d7fa51897

  • SHA256

    89751d8b2b5ff207f8a7da0605086c675471f47830c29357d42006eb2598262a

  • SHA512

    52c672a7bb9c2b426ad6d4ee201c18fe751836f3b0fd4dea8c76e86c16fb47afe0f1a6443af323ccef6a549eb88af73250c59af9e4000784afb2ca7ca3509afa

  • SSDEEP

    1536:6C1htydn6LwUGd8H0qlKhxGeB9VxgCR939beP8e5Lkkma6R1DTgbi55oOLuXnvKL:6CxicwUU3jvGeBTR19bePvgkmfgYoOCe

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

america-depending.gl.at.ply.gg:22525

Attributes
  • Install_directory

    %AppData%

  • install_file

    fix solve.exe

Targets

    • Target

      XClient.exe

    • Size

      80KB

    • MD5

      2549b9c24b00e10d1d1b19ed18abea56

    • SHA1

      71135d2dccd4f4cdcefdd0cf2b59fe7d7fa51897

    • SHA256

      89751d8b2b5ff207f8a7da0605086c675471f47830c29357d42006eb2598262a

    • SHA512

      52c672a7bb9c2b426ad6d4ee201c18fe751836f3b0fd4dea8c76e86c16fb47afe0f1a6443af323ccef6a549eb88af73250c59af9e4000784afb2ca7ca3509afa

    • SSDEEP

      1536:6C1htydn6LwUGd8H0qlKhxGeB9VxgCR939beP8e5Lkkma6R1DTgbi55oOLuXnvKL:6CxicwUU3jvGeBTR19bePvgkmfgYoOCe

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks