xworm | gsB72LsjeW3OnCXIXNtojNdbm7okSb05AnMAnwKs[.]zip | Triage

Sharing

General

Target

gsB72LsjeW3OnCXIXNtojNdbm7okSb05AnMAnwKs.zip
Size

259KB
MD5

d3afd759cf24de3a5cf01e3e92a2eef1
SHA1

b6c31d6ec8a11a9b2aa1d264827a83c43d13ec0c
SHA256

e3124c7431ae62c1d0c7e508e318ac091e240cddfe00f768583fa496afa69bf8
SHA512

1817d2877e02b2f607e6062a566a5db74534bbe9f8cb665fe6158a0cc6d937fc6ae02cffe09d5ccdb8e74473e744a7979238fe54646b98fa99c902bc881abc73
SSDEEP

6144:mZ4aJLIwzNPufGgWafLnquhnP/6bmlqgVIVvt4npoxm:44a/h/UfLnBhP/6bhVvWoxm

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/z5PQ82wE

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
static1/unpack001/Krampus/23vcD1orbL.exe	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Krampus/23vcD1orbL.exe

Files

gsB72LsjeW3OnCXIXNtojNdbm7okSb05AnMAnwKs.zip
.zip
Krampus/23vcD1orbL.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 83KB - Virtual size: 82KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Krampus/UserManual.txt
Krampus/fuckkrampus.png
.png
Krampus/readme.txt