Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClient.exe

  • Size

    42KB

  • Sample

    250120-x226psvmat

  • MD5

    3982031e2e82143cf90b273b6b614231

  • SHA1

    5a212b3d718c26cb34fc043b19979bfd37b07934

  • SHA256

    08a0be6e3717d3ac5e6117536f42dbc4e08ff41958eb059038f648c447146198

  • SHA512

    e3eee612bea1d8277136a849494cd9e1767df8b77557349e7b35d8fc3dea82031e19f5d4da767fa7589e4623b6a46671b98b7110c7f802a5ac4f5a24b036ae5a

  • SSDEEP

    768:x/CsBpA2DYSPdTls3AyZrl2F59g/OCh80R8lEZ:x/C2dD0wF59g/OCu1EZ

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

https://pastebin.com/raw/cyX7R6Kt:1

Mutex

H52DR5xUvBhWUz6h

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    msconfig.exe

  • pastebin_url

    https://pastebin.com/raw/cyX7R6Kt

aes.plain

Targets

    • Target

      XClient.exe

    • Size

      42KB

    • MD5

      3982031e2e82143cf90b273b6b614231

    • SHA1

      5a212b3d718c26cb34fc043b19979bfd37b07934

    • SHA256

      08a0be6e3717d3ac5e6117536f42dbc4e08ff41958eb059038f648c447146198

    • SHA512

      e3eee612bea1d8277136a849494cd9e1767df8b77557349e7b35d8fc3dea82031e19f5d4da767fa7589e4623b6a46671b98b7110c7f802a5ac4f5a24b036ae5a

    • SSDEEP

      768:x/CsBpA2DYSPdTls3AyZrl2F59g/OCh80R8lEZ:x/C2dD0wF59g/OCu1EZ

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks