Overview

overview

10

Static

static

3

XClient.sfx.exe

windows7-x64

10

XClient.sfx.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClient.sfx.exe

  • Size

    427KB

  • Sample

    250121-xbmnbsxlcq

  • MD5

    5435de027987f5f1f608719b0c8a752b

  • SHA1

    b341e00d0bce1b8e085aaa7880c1e130bb6b3976

  • SHA256

    5d27d172d7910c67b668b31ed29826e973f1a78fb217b0dd4f40dcafe86bb6a2

  • SHA512

    fa75b2b27a2f1696b6dfac5fc6944f2501200eae3daaa449db3721d34c185435e82cf7c900b5f4c477185c5c9a410290e2ba9c93f7375e6810e90e61651d5d87

  • SSDEEP

    6144:x5aMJNLwL73PZPkFr1jilzqqVWk6855JKSFtIooEbQYT+t1PNmSiqqvCr:xOxPkPjQeqQ1Y53KRYT+t1PABqv

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Targets

    • Target

      XClient.sfx.exe

    • Size

      427KB

    • MD5

      5435de027987f5f1f608719b0c8a752b

    • SHA1

      b341e00d0bce1b8e085aaa7880c1e130bb6b3976

    • SHA256

      5d27d172d7910c67b668b31ed29826e973f1a78fb217b0dd4f40dcafe86bb6a2

    • SHA512

      fa75b2b27a2f1696b6dfac5fc6944f2501200eae3daaa449db3721d34c185435e82cf7c900b5f4c477185c5c9a410290e2ba9c93f7375e6810e90e61651d5d87

    • SSDEEP

      6144:x5aMJNLwL73PZPkFr1jilzqqVWk6855JKSFtIooEbQYT+t1PNmSiqqvCr:xOxPkPjQeqQ1Y53KRYT+t1PABqv

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks