xworm | nigga[.]exe | Triage

Sharing

General

Target

nigga.exe
Size

41KB
MD5

2050f7f1b36613662a5b4bf5756589f4
SHA1

5203b9e7928342b7c40ab9865b9701effcd818c1
SHA256

9e776e42d46f0ea879002d936b62f7494e1d770c72238d739e9c2683d88745e0
SHA512

25ada35957fed8f825350fe711ad98de669ce551a449a9b3ee94c43bdf07f8895d82ca2e652ba72e9e6685e3eb035e4ba3622c55bd08aabb08cf02d91fd5cbbe
SSDEEP

768:9TFHrDMQVZYwCxsAuwKFjHKShtF5PG9+bOwhO3EuXA:DwQEdOAulzKSTFI9+bOwgFXA

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:38630

147.185.221.19:38630

bay-currencies.gl.at.ply.gg:38630

and-organized.gl.at.ply.gg:38630

community-excess.gl.at.ply.gg:38630

Mutex

YfT9WSgF2TVkrY89

Attributes

Install_directory
%AppData%
install_file
runbroker.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource yara_rule

sample family_xworm
Xworm family
xworm
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

nigga.exe

Files

nigga.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ