General
-
Target
X2Client.exe
-
Size
327KB
-
MD5
23b1cf7a34f7c36dc66cb2d92958f07b
-
SHA1
9ff8c1adf93129e89e0993138c6c6858606a5d04
-
SHA256
4a43d7235b9c3160fdc5d26f1290c5a5aed202e838e043a286fd5d4cafd2f2d6
-
SHA512
b8357a4332cdb27f03f92cbfb4e629efe1d492310dee44cae7fd7e6f75810a6faf1cb2163e1f3e65d1444efa4d0801b9c263b939b11db2a97b77263c9e6ce637
-
SSDEEP
1536:48iwmMtt14eBRNdIkuU799/+b+38dtuBKOoMbR8Si1sFGfFuAYCRAutPsAzAUCBy:IextBZIU799/+b+kuKODbR4t
Malware Config
Extracted
xworm
chicago-employed.gl.at.ply.gg:47945
147.185.221.19:47945
<Xwormmm>:3412
-
Install_directory
%AppData%
-
install_file
Runtime Broker.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule sample family_xworm -
Xworm family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource X2Client.exe
Files
-
X2Client.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 72KB - Virtual size: 71KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 254KB - Virtual size: 254KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ