xworm | Desktop[.]rar

Sharing

Copy URL Twitter E-mail

General

Target

Desktop.rar
Size

202KB
MD5

76978b3600e972d12d1d5908d288a547
SHA1

c6c8995de8fa7d099ad9ae59bfc62a4e69a2e014
SHA256

c40ddc154c7b1f2ed75eb71402c4d9d535b04b6981f2ba35b543d13e92517b09
SHA512

04a76d64de347127dfd181621012f57a67e89857177ccf3555a15241880036742b7726f88979b64d8b9a622decd486d0de94ce00ecf7806dd0cc68065a58e4f5
SSDEEP

3072:ks8qbjgwosZWvya69zE0oeiK44wGoyg1CsDolJf8/Vj4BOjEC2umT5XhWFjrU7hk:z4CovyagUms0vfcj4B1JFK0t+oTC

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

Version

5.0

tr3.localto.net:42425:52773

16.ip.gl.ply.gg:52773

Mutex

JVWiY181Z4kxTf0K

Attributes

install_file
USB_Driver.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
static1/unpack001/XClient.exe	family_xworm

Xworm family
xworm

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Nursultan (Creator Shake).exe
unpack001/XClient.exe

Files

Desktop.rar
.rar
Nursultan (Creator Shake).exe
.exe windows:6 windows x86 arch:x86

634ebe92c1026fa85f8f7ce5b257e6f1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

gdi32

GetCurrentPositionEx

user32

ReleaseDC

ole32

CoGetApartmentType
CoGetObjectContext

advapi32

GetSidSubAuthority

kernel32

HeapReAlloc
CreateFileW
HeapSize
ReadConsoleW
CloseHandle
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
GetModuleHandleW
GetProcAddress
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
GetCurrentProcess
TerminateProcess
GetExitCodeThread
WideCharToMultiByte
GetStringTypeW
MultiByteToWideChar
RaiseException
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
TryAcquireSRWLockExclusive
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableSRW
GetLastError
FreeLibraryWhenCallbackReturns
CreateThreadpoolWork
SubmitThreadpoolWork
CloseThreadpoolWork
GetModuleHandleExW
InitOnceBeginInitialize
InitOnceComplete
EncodePointer
DecodePointer
InitializeCriticalSectionEx
LCMapStringEx
GetCPInfo
ReadFile
RtlUnwind
SetLastError
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
ExitProcess
GetModuleFileNameW
GetStdHandle
WriteFile
HeapFree
HeapAlloc
GetFileType
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetProcessHeap
SetStdHandle
GetFileSizeEx
SetFilePointerEx
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
WriteConsoleW

Sections

.text
Size: 178KB - Virtual size: 178KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 67KB - Virtual size: 66KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 172KB - Virtual size: 175KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
XClient.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 30KB - Virtual size: 29KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

634ebe92c1026fa85f8f7ce5b257e6f1

Headers

DLL Characteristics

File Characteristics

Imports

gdi32

user32

ole32

advapi32

kernel32

Sections

.text Size: 178KB - Virtual size: 178KB

.rdata Size: 67KB - Virtual size: 66KB

.data Size: 172KB - Virtual size: 175KB

.reloc Size: 10KB - Virtual size: 9KB

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 30KB - Virtual size: 29KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

.text
Size: 178KB - Virtual size: 178KB

.rdata
Size: 67KB - Virtual size: 66KB

.data
Size: 172KB - Virtual size: 175KB

.reloc
Size: 10KB - Virtual size: 9KB

.text
Size: 30KB - Virtual size: 29KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B