General
-
Target
XClient.exe
-
Size
34KB
-
Sample
250125-j6p52swjcr
-
MD5
0e2d8453d25e0c10c837df17cee92794
-
SHA1
6e4f980c7a4813e385ac01b005b9eb7bb3a63267
-
SHA256
010c25e723fef619badbc922d34d0349b80d0686a7e7b34192bea76f28950ed4
-
SHA512
3bd1a07990765ddbf58692b031568630408f3a52576e029780e5d7231e19caada5dc5a571cd47479ede0d1c0c08c37bdc2a5deedf8f28d5b78350e9da00c5fff
-
SSDEEP
768:P8rdXxt2EkNFdG1U3Fyc9qXC6EOjhdyve:Pu0FdGCFh9qXC6EOjp
Malware Config
Extracted
xworm
3.1
japanese-cross.gl.at.ply.gg:16828
dKjXiw0bskOKO6JU
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
XClient.exe
-
Size
34KB
-
MD5
0e2d8453d25e0c10c837df17cee92794
-
SHA1
6e4f980c7a4813e385ac01b005b9eb7bb3a63267
-
SHA256
010c25e723fef619badbc922d34d0349b80d0686a7e7b34192bea76f28950ed4
-
SHA512
3bd1a07990765ddbf58692b031568630408f3a52576e029780e5d7231e19caada5dc5a571cd47479ede0d1c0c08c37bdc2a5deedf8f28d5b78350e9da00c5fff
-
SSDEEP
768:P8rdXxt2EkNFdG1U3Fyc9qXC6EOjhdyve:Pu0FdGCFh9qXC6EOjp
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-