xworm | WDefender[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

WDefender.exe
Size

67KB
MD5

e0fdede0e36b65470d0628f3f618117b
SHA1

278f9903dcf0e417ceec662e83cc43078eb7273f
SHA256

23c15f622d5a982b8caa81f4e7538f636ba8c11616fa9712c0c46bc696d5215d
SHA512

7a62180709ba5fec957087e4c3a18356ed52aa726b51dce47bba6cb4daa49a0bd320c1b46e26234d481fdd9effd900f1eed48a13ad4dbd23192e5172d534c79c
SSDEEP

1536:nilMvSV/K0eUyJcwOI5Fs34GbyeyQRq5sCO7qxhM:nRKVS0eUSP5Fs34GbyeR6sCO7GhM

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

rachelere-35477.portmap.host:35477

Attributes

Install_directory
%AppData%
install_file
WD Defender.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
WDefender.exe

Files

WDefender.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 65KB - Virtual size: 64KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ