xworm | Wurst Client[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Wurst Client.exe
Size

192KB
MD5

6a2121e22597adf80d52edcc4d3685ba
SHA1

e9879fddb3773b1366e66e948da97e77e7cce411
SHA256

0f12b7975ffed10dfd5c4bfe05613fb97f84caa84aa06d577b55a5a2196a8792
SHA512

c58fa62f2b8b038578e9b1800bd121c7d364d0d6a0c5ae45225a25939f5dbf4c9eaad60885f37ebdd8adde140192c229fec4371129a0dfff2cc11b0f8ebc94ee
SSDEEP

3072:lBKAgiuOsF1bLDbfkaHyi2qO2K/OglOHIu4h1a:ha1Tbf5SEO2KOHI7z

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

happy-pregnancy.gl.at.ply.gg:27515

Attributes

Install_directory
%AppData%
install_file
Wurst Client.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Wurst Client.exe

Files

Wurst Client.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 79KB - Virtual size: 79KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 111KB - Virtual size: 111KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ