xml[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

xml.exe
Size

70KB
MD5

98fa1ecad4b58f33f95edd3e86f0c891
SHA1

6fbac13bf503a914fa570dae85d348da1bcff0ac
SHA256

604d54af0d81878cf3b383a93afc8756c78d47c81dff97f0a712e005d3ac9c74
SHA512

19b61b3addf6dc201154976f055056e427e72945a4ed8ae6577a57907c2f12bd111fc1d8a0eca9cf87668b947d9325c5cf7df232c0e713831ae64dbe3e6ed92d
SSDEEP

1536:6+OVmE8B9PH/gLhOPB2uthvT9+6wCUyQA4XeizMVeDErKU/XbMXEvm+1:FUmEKH/gFOZXhB+6wCUyQLXlMrKwm+1

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
xml.exe

Files

xml.exe
.exe windows x64

e330943ff54abbb035aa51ba6a5796f1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

oraxml18

getNotationSysID
getDocTypeName
getDocTypeEntities
getDocTypeNotations
isStandalone
getNodeValue
getAttributes
getAttrLocal
getAttrNamespace
getAttrPrefix
getAttrQualifiedName
getAttrSpecified
getChildNodes
numChildNodes
getChildNode
getNodeLocal
getNodeNamespace
getNodePrefix
getNodeQualifiedName
LpxInitialize
LpxFileParse
XmlXppEval
XmlXppGetFirst
LpxTerminate
XmlCreateNew
XmlLoadDom
numAttributes
XmlXPtrLocSetGetLength
XmlXPtrLocSetGetItem
XmlXPtrLocGetType
XmlXPtrLocGetPoint
XmlXPtrLocGetRange
XmlXPtrLocGetNode
XmlXPtrLocToString
XmlXPtrLocSetFree
XmlXppRange
XmlXppRangeInside
XmlXppStartPoint
XmlXppEndPoint
LpxXSLInitializeCtx
LpxXSLSetNSFunction
LpxXSLSetOutputDOMCtx
LpxXSLProcessXML
LpxXSLGetResultDocFragment
LpxPrintStream
LpxMakeXPathCtx
LpxXPathSetNSFunction
LpxParseXPathExpr
LpxEvalXPathExpr
LpxFreeXPathCtx
getNotationPubID
XmlSaveDom
getEntityNotation
getEntitySysID
getAttributeIndex
getEntityPubID
XmlIsUnicode
getNextSibling
getFirstChild
getNodeType
getEncoding
LpxGetElementOffset
isUnicode
xmlLocation
LpxSetBufferSize
printStream
appendChild
createElement
getDocType
xmlterm
xslterm
xslprocessxmldocfrag
xslgetresultdocfrag
xpfreexpathctx
xpgetbooleanval
xpgetnumval
xpgetstrval
xpgetnextnsetelem
getNodeName
xpgetnsetelemnode
xpgetfirstnsetelem
xpgetnsetval
xpgetrtfragval
xpgetxpobjtyp
xpevalxpathexpr
xpparsexpathexpr
xpmakexpathctx
LpxPrintStreamEnc
lpxdntype
getDocument
nodeValid
getDocumentElement
xslprocessxml
xslgettextparam
LpxXSLResetTextVar
xslsettextparam
xslresetallparams
xslgetoutputstream
xslsetoutputstream
xslgetoutputdomctx
xslsetoutputdomctx
xslgetoutputsax
xslsetoutputsaxctx
xslsetoutputsax
xslsetoutputencoding
xslgetbaseuri
xslinit
xmlparsebuf
xmlclean
xmlparsedtd
getAttrValue
getAttrName
XdkInit
LpxFileParseWithDTD
xmlparsefile
xmlparsestream
xmlparse
xmlparseorastream
LpxMemUsage0
xmlaccess
LpxSetCtxOptimizedForXSL
xmlinitenc
XmlXPointerEval
LpxVersion

oracore18

OraStreamInit
OraStreamTerm
ss_mem_fre
SlfWrite
lstprintf
SlfClose
SlfRead
ss_mem_alc
SlfStat
SlfOpen

msvcr120

_onexit
__dllonexit
_calloc_crt
_unlock
_lock
__crtSetUnhandledExceptionFilter
?terminate@@YAXXZ
__crtCapturePreviousContext
__crtTerminateProcess
__crtUnhandledException
__crt_debugger_hook
_commode
_fmode
__initenv
__C_specific_handler
_initterm
_initterm_e
__setusermatherr
_configthreadlocale
_cexit
_exit
__set_app_type
__getmainargs
_amsg_exit
_XcptFilter
memset
strncpy
vsprintf
strncat
strlen
putchar
free
malloc
fread
fwrite
strstr
sprintf
exit
fflush
printf
fputs
__iob_func
isdigit
sscanf
puts
_chdir

orauts

GetCurrentThreadId
LoadLibraryA

kernel32

DecodePointer
GetSystemTimeAsFileTime
GetCurrentProcessId
QueryPerformanceCounter
IsProcessorFeaturePresent
IsDebuggerPresent
EncodePointer
FormatMessageA
GetThreadLocale

Sections

.text
Size: 43KB - Virtual size: 43KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 508B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e330943ff54abbb035aa51ba6a5796f1

Headers

DLL Characteristics

File Characteristics

Imports

oraxml18

oracore18

msvcr120

orauts

kernel32

Sections

.text Size: 43KB - Virtual size: 43KB

.rdata Size: 23KB - Virtual size: 22KB

.data Size: 1024B - Virtual size: 3KB

.pdata Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 508B

.text
Size: 43KB - Virtual size: 43KB

.rdata
Size: 23KB - Virtual size: 22KB

.data
Size: 1024B - Virtual size: 3KB

.pdata
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 508B