xworm | IncognitoFix[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

IncognitoFix.exe
Size

78KB
MD5

3b82ce349e47ef260418be5c7b04b2a1
SHA1

c61b99be6b48fd16db7ce29d1d1b97ad46e88429
SHA256

e6fa3c8735a67b5f86388797937ce81665ae4f1172b1af0c7f05b01d5e7a5e80
SHA512

fe4e60b9d35183c3b583d0e0eada6f4bdb2db4687279f4799a6297f925b5eefb30ae46447202da4a6e552968a2cb88742741e30d862a90a913dcc9c6054ec1c8
SSDEEP

1536:XF1DejprWjeE1G+OuhmbCdaFdvKN6bOU1dWg:XnqcjeYcrbCeKoOUSg

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:8848

mb-each.gl.at.ply.gg:8848

Attributes

Install_directory
%LocalAppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
IncognitoFix.exe

Files

IncognitoFix.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 75KB - Virtual size: 75KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ