xworm | uzpn is coolio[.]exe | Triage

Sharing

General

Target

uzpn is coolio.exe
Size

76KB
MD5

3a95b8b68f29409589094c4497b9c050
SHA1

8be1240201d17f52605e3c873ea70e612a088484
SHA256

cc4387111fef858ae0c66c19bab6b13569789117c3b8a464797cc4a5db2198ef
SHA512

841ced2e66d73f6fec1187d657179fb7bfbd4b1daa20330007ea62c5c6e74c6580cbf8d4dd1f01b0227f524bf56650ec9337d822746de9e29f24854e1b26c849
SSDEEP

1536:pPQqwzNzpDFLYVUP8LjVtzBwUChnwl7K5bH9CPYFyxU/O+6NWppd:pyNFDiUUVXRF2bHIUyxU/O5NE/

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

uk2.localto.net:34675

Attributes

Install_directory
%AppData%
install_file
Google.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
uzpn is coolio.exe

Files

uzpn is coolio.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 73KB - Virtual size: 73KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ