Behavioral task
behavioral1
Sample
a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe
Resource
win10v2004-20240508-en
General
-
Target
5ad0a139daa10def6783d34a578882eb.bin
-
Size
32KB
-
MD5
18e680b9345a62bb61822fc790256a25
-
SHA1
b25f94f9ec946abd4c2958f39162c36adcdb38f2
-
SHA256
cfb3a4e43fd935a2a9460d7476c7119b8037dc64572f5d31855d6a78da3a7036
-
SHA512
9b2fe743b3c70bebbd2be74088a73dfe6ad4bdf7b2bbbfc8c99ee38dccd69250a66c5642c3bd9295b36bd709d6470451b68639ca7d5401d976a9ba913e826993
-
SSDEEP
768:bQU5Gd9irzQw7IWFmpCKMh6YRPmWl00DntIHtIgPOKVa:bP5s0z7PYCK+FmWl0QkzdY
Malware Config
Extracted
xworm
5.0
sekoneko.zapto.org:1111
epkUNO9aHruE9KEn
-
Install_directory
%AppData%
-
install_file
win64.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule static1/unpack001/a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe family_xworm -
Xworm family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource unpack001/a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe
Files
-
5ad0a139daa10def6783d34a578882eb.bin.zip
Password: infected
-
a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe.exe windows:4 windows x86 arch:x86
Password: infected
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 39KB - Virtual size: 38KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 81KB - Virtual size: 80KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ