xworm | GtagMod[.]bat | Triage

Sharing

Copy URL Twitter E-mail

General

Target

GtagMod.bat
Size

52KB
MD5

cc48181dfe2f497ee845e3ee62a741ae
SHA1

9669a69cfecaf8686f4a508319a9406284c1f9f6
SHA256

7a2d4fb8450dd990ba2da5c436a7ee38b2d43edff091ba5504b9814068dc48ee
SHA512

2520c86fa71f193f2c54edb2d026ce010f0e56b035e3b1e11ae0c69e8d1fadc09ca219bf39318f14eb9d4276240c1df9f8690a370d9d34f49b36f0cfacdea52c
SSDEEP

768:9FMAtzQXPotQwP8BZzRh/kb2nFnfQbr+YiMesPNOc3h5IM9:9FMazQXQtBAkb2nFnir+YreslOSl9

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

model-gardening.gl.at.ply.gg:23142

Attributes

Install_directory
%Temp%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
GtagMod.bat

Files

GtagMod.bat
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 50KB - Virtual size: 49KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ