xworm | a23925b34df80c67cbaaadb78b403e9eaa7f792d9e94f77faa6a5ed4d4c418ea

General

Target

a23925b34df80c67cbaaadb78b403e9eaa7f792d9e94f77faa6a5ed4d4c418ea
Size

41KB
MD5

72d4dd4ad2f39a813e5b934072ad4cdd
SHA1

f47dd00613a69c1f6c66166c77aa0f94ae81a557
SHA256

a23925b34df80c67cbaaadb78b403e9eaa7f792d9e94f77faa6a5ed4d4c418ea
SHA512

b85612bcf09c3f411d3617550614d31382be5831b42cf3014e5ff987c2d126d51359c07ab14fcfdf9c352443849c12c9d8528a9633b48e0aaaadc6205b722f17
SSDEEP

768:IssOIlJMG3SHaQH3uRqCp4OFWPG9GMG6OOwh6ju1:IQ2g6i3ClFv9GJ6OOwcq1

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

Version

5.0

C2

panpoppo-25611.portmap.io:25611

Mutex

yLROxEcbNBUkggRN

Attributes

Install_directory
%AppData%
install_file
System.exe
telegram
https://api.telegram.org/bot7029474494:AAH1z4aA2-VnubfHzTm9hl-5PQmAMfTuggo/sendMessage?chat_id=5258405739

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables using Telegram Chat Bot 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
a23925b34df80c67cbaaadb78b403e9eaa7f792d9e94f77faa6a5ed4d4c418ea

Files

a23925b34df80c67cbaaadb78b403e9eaa7f792d9e94f77faa6a5ed4d4c418ea
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 38KB - Virtual size: 38KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

.text
Size: 38KB - Virtual size: 38KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B