Behavioral task
behavioral1
Sample
e6f7963c726231571294a06e1e8b1f03b87684cad8383bb194b957fc685685c2.exe
Resource
win7-20240221-en
General
-
Target
53672dd264c745b0b184e37e01d6ec2dc4d730a5acc77cb72d0f77faec6a4769
-
Size
42KB
-
MD5
13f2eadb80c5a2bf42b8edc8cbce3ae0
-
SHA1
ad984d290d147744f3dc4acc935de0927bf9b430
-
SHA256
53672dd264c745b0b184e37e01d6ec2dc4d730a5acc77cb72d0f77faec6a4769
-
SHA512
f5bca65f4528da026257be7d621cf008b16d68395d4f3e90cea5e17433de050fcbea820aaf7457de569be7e23d012a8cdfccf9dcb446005fc99992ffb9a2172b
-
SSDEEP
768:6tdXcJY25mPrRKyeWXJT2QrbhgouwBinFY2WlyibDD0BKPhUrq58mfznjv26As/T:edOY2GrRooJjbioBoFYZzqaaY8sznjv1
Malware Config
Extracted
xworm
3.0
157.254.223.19:8081
i0Yq2Adr82znjD2G
-
Install_directory
%ProgramData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot5498061286:AAEOFPFhizSA_AbkzDV_OWcHlXVsegPpL_c/sendMessage?chat_id=1267602057
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule static1/unpack001/e6f7963c726231571294a06e1e8b1f03b87684cad8383bb194b957fc685685c2.exe family_xworm -
Xworm family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource unpack001/e6f7963c726231571294a06e1e8b1f03b87684cad8383bb194b957fc685685c2.exe
Files
-
53672dd264c745b0b184e37e01d6ec2dc4d730a5acc77cb72d0f77faec6a4769.zip
Password: infected
-
e6f7963c726231571294a06e1e8b1f03b87684cad8383bb194b957fc685685c2.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 37KB - Virtual size: 37KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 110KB - Virtual size: 109KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ