xworm | XWClient[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

XWClient.exe
Size

96KB
MD5

0cf4df61a28eb5bf409963e86ae47d44
SHA1

576c6660b1e46958814a5d524ff67c0adf3c8f47
SHA256

e3fd995e36ea5be776810badc67c47ca5c33c5e1205a3d94624388f5529a4ff9
SHA512

926e210e6ef2550297b2e0899d2c7795cdfae62d5fafa84791267ac9c5082e979266b7b5f1cda5fcb4c474e88930173ad546d77810ca16120291fa7307ca2b79
SSDEEP

3072:Q44a/764sTXbzhEEOmTj+0h1xt62CXH/iDi:QOj6vjbeA69XS

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

2.tcp.eu.ngrok.io:19614

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
XWClient.exe

Files

XWClient.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 58KB - Virtual size: 58KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 37KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ