General
-
Target
XClient.exe
-
Size
65KB
-
Sample
250124-z9jens1jal
-
MD5
e61b7b5567e85dafef933bc75eb974f0
-
SHA1
112fd88adac00dfeaaaab3ec3dd0095f940ba257
-
SHA256
3606fbab92dc9da545537d723bc5529394d358b24878729c124d1cc582ba4b57
-
SHA512
701826564782f4c3d6b9d3e8f25c0bb3612e6eb1c4face0c270301c1f07d85849399e73507d50ff1152ba941f0ea4135ef79832e4aeaefbcb4d215b70b7ec8ef
-
SSDEEP
1536:kdHr3oQIaboNcLK4X54bIBG4qOu6U3TO9nLGb:OL8NgXObImhO9LGb
Malware Config
Extracted
xworm
127.0.0.1:30717
window-prize.gl.ply.gg:30717
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
XClient.exe
-
Size
65KB
-
MD5
e61b7b5567e85dafef933bc75eb974f0
-
SHA1
112fd88adac00dfeaaaab3ec3dd0095f940ba257
-
SHA256
3606fbab92dc9da545537d723bc5529394d358b24878729c124d1cc582ba4b57
-
SHA512
701826564782f4c3d6b9d3e8f25c0bb3612e6eb1c4face0c270301c1f07d85849399e73507d50ff1152ba941f0ea4135ef79832e4aeaefbcb4d215b70b7ec8ef
-
SSDEEP
1536:kdHr3oQIaboNcLK4X54bIBG4qOu6U3TO9nLGb:OL8NgXObImhO9LGb
-
Detect Xworm Payload
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-