Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClient.exe

  • Size

    791KB

  • Sample

    250213-3cl13sxjfm

  • MD5

    edb18e3495b26ad1333a0c49c075699a

  • SHA1

    ccccd702e3f550946a5d939befa8087b9894a1c5

  • SHA256

    825fa9e289ae87ff253cd45183bdd0f318cf22dbecf69c2fd69efae3cf4dc284

  • SHA512

    74912042762747823a34f0cbe6aa13222f720d2991309a075c74662570536b8e212a5b8db1688708030a099ab7419fc22e372528147066e0f7db0ea2d3d400ac

  • SSDEEP

    12288:SMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9FOj:SnsJ39LyjbJkQFMhmC+6GD9I

Score
10/10
xredxwormbackdoordiscoveryexecutionmacropersistencerattrojan

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

xworm

Version

5.0

C2

resource-intensity.gl.at.ply.gg:4444

Mutex

Wnhb7VRUnJAnu1v1

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      XClient.exe

    • Size

      791KB

    • MD5

      edb18e3495b26ad1333a0c49c075699a

    • SHA1

      ccccd702e3f550946a5d939befa8087b9894a1c5

    • SHA256

      825fa9e289ae87ff253cd45183bdd0f318cf22dbecf69c2fd69efae3cf4dc284

    • SHA512

      74912042762747823a34f0cbe6aa13222f720d2991309a075c74662570536b8e212a5b8db1688708030a099ab7419fc22e372528147066e0f7db0ea2d3d400ac

    • SSDEEP

      12288:SMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9FOj:SnsJ39LyjbJkQFMhmC+6GD9I

    Score
    10/10
    xredxwormbackdoordiscoveryexecutionmacropersistencerattrojan

    • Detect Xworm Payload

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Suspicious Office macro

      Office document equipped with macros.

      macro

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks