General
-
Target
XClient.exe
-
Size
38KB
-
Sample
240630-zl1ztaveqe
-
MD5
580476bf6d98b53ca3897d3e1ddb7395
-
SHA1
4228dd985cac40c46b5e78e0b1db4d2b432768cc
-
SHA256
407c8bca5d8860243c432477063fd131e5ac5f262df2ee3f95ea995eaca3d584
-
SHA512
7ba29b6dfddac9bf3945a8b02c30d25a38e88f608f479f7d8b4cd3fb59e05d3464d3b8aa754add793bf21c42dca4b35bb707f1f073e2894e20c8d15570b1720d
-
SSDEEP
768:L7kigiROpS93paGFyw9/lI6rO/htjPNsb:L9Z/lpFr99I6rO/Pab
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win11-20240508-en
Malware Config
Extracted
xworm
5.0
NgM4ZY0RAWPip3iP
-
Install_directory
%AppData%
-
install_file
ReAgentC.exe
-
pastebin_url
https://pastebin.com/raw/UWpQULMP
Targets
-
-
Target
XClient.exe
-
Size
38KB
-
MD5
580476bf6d98b53ca3897d3e1ddb7395
-
SHA1
4228dd985cac40c46b5e78e0b1db4d2b432768cc
-
SHA256
407c8bca5d8860243c432477063fd131e5ac5f262df2ee3f95ea995eaca3d584
-
SHA512
7ba29b6dfddac9bf3945a8b02c30d25a38e88f608f479f7d8b4cd3fb59e05d3464d3b8aa754add793bf21c42dca4b35bb707f1f073e2894e20c8d15570b1720d
-
SSDEEP
768:L7kigiROpS93paGFyw9/lI6rO/htjPNsb:L9Z/lpFr99I6rO/Pab
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1