Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClient.exe

  • Size

    156KB

  • Sample

    250307-bk12es1vet

  • MD5

    49acade22394e1ad05b0a24ad2461d44

  • SHA1

    2cc67fe90f60f39918de6e02755756d04a9ea6a6

  • SHA256

    3394a84609088b9e0cc8e0e9df4c9f1c94f6fda2efc10164eef27bec071372e3

  • SHA512

    f7b85b6594dbd5db200810c563a2de3a8be6c9d1b9796ee2b7c856fe1747b54cc467d23a2c15120368e2155c490788c3964c1515990cab4a930f59f67adfdd87

  • SSDEEP

    1536:WRWZt9DWl8i9ko6zbQ8v/niOiN/NHERafjVm:kst08iWo6zbQ8yOiNVHEoY

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

places-y.gl.at.ply.gg:45473

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      XClient.exe

    • Size

      156KB

    • MD5

      49acade22394e1ad05b0a24ad2461d44

    • SHA1

      2cc67fe90f60f39918de6e02755756d04a9ea6a6

    • SHA256

      3394a84609088b9e0cc8e0e9df4c9f1c94f6fda2efc10164eef27bec071372e3

    • SHA512

      f7b85b6594dbd5db200810c563a2de3a8be6c9d1b9796ee2b7c856fe1747b54cc467d23a2c15120368e2155c490788c3964c1515990cab4a930f59f67adfdd87

    • SSDEEP

      1536:WRWZt9DWl8i9ko6zbQ8v/niOiN/NHERafjVm:kst08iWo6zbQ8yOiNVHEoY

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks