General
-
Target
XClient.exe
-
Size
8.0MB
-
Sample
250404-bfp4cszk15
-
MD5
866cf3b3963eb36536d645baf6097113
-
SHA1
0e3e50ba1390f54021342addef069d787d300999
-
SHA256
e22ade6a77d204ad7259d5a51f981a5c5dde835507e5747c591f76daa8f633e2
-
SHA512
945ce6248bff332c54040b2b675389874b2bfbe2d38aa7c3c631456726b4be555fc809d230f796869cdceabcc925f5e7b2345e3ba5cdccc2fc0120321eeefa1f
-
SSDEEP
196608:hyBiZfPGBM2uPDIuzhLLzyY7HOE6zocpx5XSZ7X6psLOtJF8bq7:hy8tPGm2ufhLPyqHUoSXu0h9aq7
Malware Config
Targets
-
-
Target
XClient.exe
-
Size
8.0MB
-
MD5
866cf3b3963eb36536d645baf6097113
-
SHA1
0e3e50ba1390f54021342addef069d787d300999
-
SHA256
e22ade6a77d204ad7259d5a51f981a5c5dde835507e5747c591f76daa8f633e2
-
SHA512
945ce6248bff332c54040b2b675389874b2bfbe2d38aa7c3c631456726b4be555fc809d230f796869cdceabcc925f5e7b2345e3ba5cdccc2fc0120321eeefa1f
-
SSDEEP
196608:hyBiZfPGBM2uPDIuzhLLzyY7HOE6zocpx5XSZ7X6psLOtJF8bq7:hy8tPGm2ufhLPyqHUoSXu0h9aq7
Score10/10-
Modifies WinLogon for persistence
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1