xworm | krampus[.]rar | Triage

Sharing

Copy URL Twitter E-mail

General

Target

krampus.rar
Size

88KB
MD5

ac2503cd31dca53357a49e68ea6994e2
SHA1

b02ab0404058ab5798c5d94eaa51034ea4e83eb8
SHA256

13a4c84d238e679f337b702d33299fa75d921d4718ca5bdb9ed4fc2072cf627e
SHA512

580bab36de6f7bb8c8756a0159c59a21b46d479457f7e3fe18d6622b0651f49f6f8cbc74f32a6dc42259a61a388011abf8fd19857f92c4469cacdc35d41fce4a
SSDEEP

1536:GQUqgFIsoYAqRQ36tvaOapJmA+mMA9i9GIgULI92rD3aG7mRM5DUtf2Bk/:GQgF/oYdxZaOapXd9uGzU89nG7tWtf2W

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

84.54.51.97:7000

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
static1/unpack001/Ro-exec/loader.exe	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Ro-exec/loader.exe

Files

krampus.rar
.rar
Ro-exec/READ ME (ro-exec).txt
Ro-exec/ezdebug.png
.png
Ro-exec/loader.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 63KB - Virtual size: 63KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ