xworm | amph_64[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

amph_64.exe
Size

75KB
MD5

1d3b17acd258e7111a4a04b87c7ebc97
SHA1

d8f533634a1c2f7848ca9dafc550b869d4844bd5
SHA256

9c6ac0ccab570954eaead7b9a976d5250a6748ab4c03dea53b2cd0eb18a76c6f
SHA512

44856b36641fecaddf4b3f7de04997c7bb08bf58f67d9f8e4b23652a136fa19a5150d50ad407f08a5bb433ef54699fa45c9a16511128ba5d65d8f1e466755063
SSDEEP

1536:2VcbrF2Kb7zE0Hil5jGMAU56b3BUBgj26WyzUjbs6wSOkk3wpCGi:AYdb0GY56b3jj2+SOl3VGi

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

provides-reduces.gl.at.ply.gg:8848

Attributes

Install_directory
%AppData%
install_file
Antimalware Service Executable.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
amph_64.exe

Files

amph_64.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 72KB - Virtual size: 72KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ