xworm | Runtime Broker[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Runtime Broker.exe
Size

57KB
MD5

d37832d746c6a25ebaf8101f1b282f17
SHA1

32d34f9cd14328b45a9369acc690bdb55e4be79a
SHA256

cf0be4aa30dfd880ae270eba269741d618daccad11aa8890ee76eec953b5a147
SHA512

ca799c1901945ad6d0837959bb0b453c0b18dcdfc70d8e8727d50bf078db1be016a4d837be5d62c4c66c7246adb9b4e968c215f2f42b98c45246559aa69dcd82
SSDEEP

768:hK+Ster+0YtPNxUIPTsj+SEFPoEee0Q/+bWXadSSz7T6kjGOHahjxAcenu:stn0uvLjzbj0Q2bAadL6BOHa4xu

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

awgaegsrgcs.duckdns.org:58554

Attributes

install_file
USB.exe

Signatures

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Runtime Broker.exe

Files

Runtime Broker.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 54KB - Virtual size: 54KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ