xworm | 73309cc961f9645c1c2562ffcdc2dab1[.]bin | Triage

Sharing

Copy URL Twitter E-mail

General

Target

73309cc961f9645c1c2562ffcdc2dab1.bin
Size

125KB
MD5

286ce29bcfa0140cc9321cde45b37634
SHA1

b0d3b7172b66220212e658cd40d6bc1c60d6c378
SHA256

d85b95d2f4a706774535a312c90cf6131bae34f8fea05d595160f9854321537b
SHA512

c67e508251948991afa45a80bf4a0d7c60abf14bf03ec2cfaba4e35a65287378c6f3e75d69936bc58acf97802f620a576a223643081933df341a3b12444dd51b
SSDEEP

3072:+aF12bRcCYR3E4omAR6QVY4ZodY5Ne2ZBuL50gZR:n12230VVYPdMeiud0QR

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

beshomandotestbesnd.run.place:7000

Attributes

Install_directory
%ProgramData%
install_file
taskmgr.exe
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
static1/unpack001/287e94024ef4ea0f1d9aad740b75a2ff594dd93062848867ed028ac719143298.exe	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/287e94024ef4ea0f1d9aad740b75a2ff594dd93062848867ed028ac719143298.exe

Files

73309cc961f9645c1c2562ffcdc2dab1.bin
.zip

Password: infected
287e94024ef4ea0f1d9aad740b75a2ff594dd93062848867ed028ac719143298.exe
.exe windows:4 windows x86 arch:x86

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 89KB - Virtual size: 89KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 108KB - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ