Overview

overview

10

Static

static

10

XClient.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClient.exe

  • Size

    39KB

  • Sample

    250123-rxxgrstqhp

  • MD5

    37708340719cd692b521653ed51a8998

  • SHA1

    f896256d8c8d91e9ac690b8eee55b405433497f5

  • SHA256

    beeb4bc88b6912289e6be134662c6794f21416e3a70d61ee18c0c4e1d84809ce

  • SHA512

    b28acc5f1e39b7a9eb8e1d41adb3c454e5d76587988e845aa913258efadd9158795a1761e33152d513cf8167b0d615e074ec9fe48db801c35350a5fa0ad08e67

  • SSDEEP

    768:Znp2iB3sNvzK2AwjzeN2YEW7KbiCqEoFN9UrcMUcOphmjtYGj:+iB8V6NiWlCq9FN9UrDROp+Bj

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

https://pastebin.com/raw/wtvveYnA:1

Mutex

cRWkyXhFU3sXnrK4

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    msconfig.exe

  • pastebin_url

    https://pastebin.com/raw/wtvveYnA

aes.plain

Targets

    • Target

      XClient.exe

    • Size

      39KB

    • MD5

      37708340719cd692b521653ed51a8998

    • SHA1

      f896256d8c8d91e9ac690b8eee55b405433497f5

    • SHA256

      beeb4bc88b6912289e6be134662c6794f21416e3a70d61ee18c0c4e1d84809ce

    • SHA512

      b28acc5f1e39b7a9eb8e1d41adb3c454e5d76587988e845aa913258efadd9158795a1761e33152d513cf8167b0d615e074ec9fe48db801c35350a5fa0ad08e67

    • SSDEEP

      768:Znp2iB3sNvzK2AwjzeN2YEW7KbiCqEoFN9UrcMUcOphmjtYGj:+iB8V6NiWlCq9FN9UrDROp+Bj

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks