Overview

overview

10

Static

static

10

XClasient.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClasient.exe

  • Size

    39KB

  • Sample

    250120-x52pcavlel

  • MD5

    13a7a5f3a3d2ab4422e86399253cd99e

  • SHA1

    45c693d414aabc6c4cf74fdfe747ff4f9c91840c

  • SHA256

    c633594472eac9e17a1995fbc7270195e4638e85839ac1735e4a17bb29361b40

  • SHA512

    1dd7b257e10d289d0955356a3f40bcacaedf66e512de5dd10c23b77cfcf347e979de11f44adf8bcc67872e2a5c47b3448280cc1341615f9d3821c5552515d6d9

  • SSDEEP

    768:Rnp2iB3sNvzK2Awjzef+YEW7KbiCqEoFN9UwLAOphXjtYG/:miB8V6f6WlCq9FN9UwLAOpfB/

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

https://pastebin.com/raw/wtvveYnA:1

Mutex

zww9foLlwF3BhQYA

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    msconfig.exe

  • pastebin_url

    https://pastebin.com/raw/wtvveYnA

aes.plain

Targets

    • Target

      XClasient.exe

    • Size

      39KB

    • MD5

      13a7a5f3a3d2ab4422e86399253cd99e

    • SHA1

      45c693d414aabc6c4cf74fdfe747ff4f9c91840c

    • SHA256

      c633594472eac9e17a1995fbc7270195e4638e85839ac1735e4a17bb29361b40

    • SHA512

      1dd7b257e10d289d0955356a3f40bcacaedf66e512de5dd10c23b77cfcf347e979de11f44adf8bcc67872e2a5c47b3448280cc1341615f9d3821c5552515d6d9

    • SSDEEP

      768:Rnp2iB3sNvzK2Awjzef+YEW7KbiCqEoFN9UwLAOphXjtYG/:miB8V6f6WlCq9FN9UwLAOpfB/

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks