xworm | DarkLoader[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

DarkLoader.exe
Size

57KB
MD5

8fe7d92ca519d2c0b34104c6099c2a71
SHA1

4563da22bd956c6ff2166099426061d558cb9931
SHA256

00850425582a22c868e727fbb72c188db08232313902f13b59473f7d46dc722a
SHA512

dd9e9a3ccad25eebcb7beacf94ca00cd1c68361b7573975f0c0295b5f5ff6cf6db03f0829df923a72b350e0af8013d400956aec145da8d1b50f4951f1fc4a488
SSDEEP

768:/r8rcj5gyBiT9t/TJ8q9WKFG95F764Ouh86LRHTn:G5uq/FG95R64Ou6Cn

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

5.tcp.eu.ngrok.io:19444

Mutex

dmGEi4sCsdEP5Ik6

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
DarkLoader.exe

Files

DarkLoader.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ