xworm | naga[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

naga.exe
Size

176KB
MD5

ff17ebf37999f969e021bd6851668e5f
SHA1

0b12995157311e303eda83e2085612659ee59dde
SHA256

94db7b9f381bcba941de619c73bac7802d4f02d8fd23243c1cc02d5a88ff091c
SHA512

dffaa8b920d8b92f7aa4aedffab826c651b321d6be7346458cc72fd71d4d38f0b84f9478395c339ba80fd94f8b69cff8e0040d102e576fef588503bd7635d285
SSDEEP

3072:h0Fu868yjMab6HdDTyEO2o479XBz65/M6If+3Js+3JFkKeTnY:h0Fu868yoabGvvXxBt25

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:8808

90.217.43.208:8808

Attributes

Install_directory
%AppData%
install_file
bloxstrap.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
naga.exe

Files

naga.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 76KB - Virtual size: 75KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 99KB - Virtual size: 98KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ