Behavioral task
behavioral1
Sample
2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear
-
Size
133KB
-
MD5
1e06d1f23f474c5e6ba0f279d3d3dfac
-
SHA1
307c847fafc7453a1050d85b6099b113a2790ef0
-
SHA256
eb8721bfa1bcacc08b8a8712e6a7fc6d4b69776e8b592abef9539c2fc671df50
-
SHA512
d1d5302d01fff58479385153160ab271b15f87c87cb5d7ab1df153d818ee9f109fcf8318c7622b068bb4344ab2261aca60c571e2e642d0f84e01bf15ade3c5fb
-
SSDEEP
3072:J+oM/FJZdq/Fk96ytO/fXM+lmsolAIrRuw+mqv9j1MWLQI:C/FJaNk9Ts8+lDAA
Malware Config
Extracted
xworm
5.0
103.161.170.251:7000
O5WJMXQSSZKD5Ijn
-
Install_directory
%Temp%
-
install_file
khiet.exe
-
telegram
https://api.telegram.org/bot6833541180:AAEc_LLwKd7Jex1zaN5vTaLg13uuFjIHQEU/sendMessage?chat_id=5747667034
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule sample family_xworm -
Detects Windows executables referencing non-Windows User-Agents 1 IoCs
Processes:
resource yara_rule sample INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables using Telegram Chat Bot 1 IoCs
Processes:
resource yara_rule sample INDICATOR_SUSPICIOUS_EXE_TelegramChatBot -
Xworm family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource 2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear
Files
-
2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 33KB - Virtual size: 33KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 99KB - Virtual size: 98KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ