Behavioral task
behavioral1
Sample
f35235d35e19f8aa40812628b7f99836655ff553ef2baed436aefb3948a1eb64.exe
Resource
win7-20240221-en
General
-
Target
257a7c749dcad791ffcdcb1a34b5173c94cba699d2f917c3b8103fb8753fe7d6
-
Size
20KB
-
MD5
f25e38434ef9ec457447634581acb6d2
-
SHA1
564bd7b229adc03d9809d768d90442c5fec3b816
-
SHA256
257a7c749dcad791ffcdcb1a34b5173c94cba699d2f917c3b8103fb8753fe7d6
-
SHA512
7f9e87d73f049e55f59f6df8636d5a4e70ae550257a3eb22d47db3b8672388c8b6b4b66146c161a67198a7cdfb83b2d07ad0d1f6700b385ff10671643529d022
-
SSDEEP
384:Bpfi09//gRK7z/jc2zHaVoAf4Xwv7avx+wzjKDqNQ3TIO:BpqVKP/jce93Xwvmvx+wHKIQ3TIO
Malware Config
Extracted
xworm
5.0
146.190.57.132:7000
pmpnRm4B5OQHJlSS
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot6491699241:AAEzWMqxLHLa_DADVhFrtpk__NqYBpyS7tI/sendMessage?chat_id=6432387334
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule static1/unpack001/f35235d35e19f8aa40812628b7f99836655ff553ef2baed436aefb3948a1eb64.exe family_xworm -
Xworm family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource unpack001/f35235d35e19f8aa40812628b7f99836655ff553ef2baed436aefb3948a1eb64.exe
Files
-
257a7c749dcad791ffcdcb1a34b5173c94cba699d2f917c3b8103fb8753fe7d6.zip
Password: infected
-
f35235d35e19f8aa40812628b7f99836655ff553ef2baed436aefb3948a1eb64.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 38KB - Virtual size: 38KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ