xworm | upgrade[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

upgrade.exe
Size

75KB
MD5

4d28e7e37cdc63cdd8b1c80f816853dc
SHA1

1a396d2feafe00b3332128d9469fce1a1c3971b7
SHA256

ab7fec176238f2f42f070a32667bfc781ac6a64413018e832ca5ccb4467c3af9
SHA512

d5e41d419c3e07966c5119d69b13e8043f481549a37f9fc5ad7c3c0a5f140146bd6ba218840e495568d9e05c657b1b845c56b7086855a0f9c4da1898ec7d2926
SSDEEP

1536:grvq1EVFXoaesCt/+D5OYVQ/QbxcbAHd6sjjjV9POSRtjAp1woh1J:S0ai+9OYQ/QbxcbA9DvTOKtUplx

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

Version

3.1

C2

127.0.0.1:44480

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
upgrade.exe

Files

upgrade.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 68KB - Virtual size: 68KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ