xworm | runincognito[1][.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

runincognito[1].exe
Size

39KB
MD5

667bee9532b02d6c0a08ac7cae2ee6ea
SHA1

c355c29cfcb03a4f1b47d17755b31cbe89f2e1d5
SHA256

0fc74ce9b94c35ea494c23b95b74c98e7d132688b24de1d0ed668229123973a4
SHA512

8b9dc7ba8f20d7ce3db013c16fb88ae7d2484538387e6cf2fc2709e2212c68f3b81c5288f66e6fc45dd6a56fc28c24179e8ade456ab4b3bdaa685e8e97844fc1
SSDEEP

768:f2CSKPu9Wkh6A9C96eutXwwTSmvAFU9OLS6SOMh8L575C:uVK6WgMs2moFU9YS6SOMWpo

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

qXkmxOfhK31UI1Ov

Attributes

Install_directory
%AppData%
install_file
Dllhost.exe
pastebin_url
https://pastebin.com/raw/pw1j2xqz

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
runincognito[1].exe

Files

runincognito[1].exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 37KB - Virtual size: 36KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ