General
-
Target
VClient3.11.bat
-
Size
422KB
-
Sample
250302-d35tfatmv9
-
MD5
869440ffbff098f2805f2bc6ddd1a9f5
-
SHA1
85bac325a849358f534772363d8d3b5b7f7e91c7
-
SHA256
18baa5efa951d971177b202c4e92aea450f1fd7ed13b5c629e3d68340fd0a4e9
-
SHA512
5754c683da58fc952f804eff82cf4aedc4fdd2ea9e38a1c534ae4b894f58926ffdd13645ed781ad4fdc7318e705a03ec67edc47dc90a0619056618d18df3815a
-
SSDEEP
12288:WaixzMk1buOdyDvE79qIGvL9PmaOkweC18n1x:Waixf1buOQvExqZdlOkwe+wx
Malware Config
Extracted
xworm
operates-rna.with.playit.plus:4377
-
Install_directory
%LocalAppData%
-
install_file
XClient2.0.exe
Targets
-
-
Target
VClient3.11.bat
-
Size
422KB
-
MD5
869440ffbff098f2805f2bc6ddd1a9f5
-
SHA1
85bac325a849358f534772363d8d3b5b7f7e91c7
-
SHA256
18baa5efa951d971177b202c4e92aea450f1fd7ed13b5c629e3d68340fd0a4e9
-
SHA512
5754c683da58fc952f804eff82cf4aedc4fdd2ea9e38a1c534ae4b894f58926ffdd13645ed781ad4fdc7318e705a03ec67edc47dc90a0619056618d18df3815a
-
SSDEEP
12288:WaixzMk1buOdyDvE79qIGvL9PmaOkweC18n1x:Waixf1buOQvExqZdlOkwe+wx
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-