xworm | df42a27a39c57d105ca4860a4fe90999[.]bin | Triage

Sharing

General

Target

df42a27a39c57d105ca4860a4fe90999.bin
Size

50KB
MD5

5d87ea155adb2c7651cffcabee30c5c6
SHA1

166597ecc9847168eea8230549e3af129a3b7e3b
SHA256

ac1a5d5a120ed45ff8a71828374b83c59dd4bd8e68d68319acf989aebf4297d1
SHA512

9dc242888813ec3015ca8dc573eaca3da0d69804a07fe06c9b3c5313687708b5be6bf9513d55e932e5766990d3dc340f649a94d44bebe54895c0609b01738504
SSDEEP

1536:N4OX8Gu6g6dX7v15SVjUKBA5Aw3YgRjiWls:hXUmdX7v98iYKiWls

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

Version

3.1

C2

kids-abstract.at.ply.gg:26193

Attributes

Install_directory
%Userprofile%
install_file
MSASCuL.exe
telegram
https://api.telegram.org/bot6118963747:AAFPoeeAyXiG-pd4NsJhnJCS9gC7YtmGuis/sendMessage?chat_id=5210247710

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
static1/unpack001/574bbc258f00e8ef099184a763b7f03075218c56ebfcd90f0319250cb8cd82ae.exe	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/574bbc258f00e8ef099184a763b7f03075218c56ebfcd90f0319250cb8cd82ae.exe

Files

df42a27a39c57d105ca4860a4fe90999.bin
.zip

Password: infected
574bbc258f00e8ef099184a763b7f03075218c56ebfcd90f0319250cb8cd82ae.exe
.exe windows:4 windows x86 arch:x86

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 78KB - Virtual size: 77KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ