xworm | OBS[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

OBS.exe
Size

241KB
MD5

906fcfc94d104f10aa98b0064b9b804c
SHA1

204a9ffcc03f9de717553f6d1d0cbbba25b29ff4
SHA256

4cea36a088d1de893433331e9a35b81ecdf71d07e289177f7e5e8e7e7be18c48
SHA512

ee23fe05dbdf4ac4654f8cfad1933cee9fa709669e7496bb576eeb512fc1969b41696c4134ecc6c4f23ae4e2fb6c12b3ff5bf9550e5c27ef923d58787ee628ea
SSDEEP

3072:fc8HhOxfhFu9yjOfZ5o6eebFMN3NTaupap2UvDkKQiJR:fc8Hsx/u9DNcNTaupa6

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

Version

3.1

C2

192.168.19.1:7000

Mutex

FyNMqIwz6SpiPxnV

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
OBS.exe

Files

OBS.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 33KB - Virtual size: 33KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 206KB - Virtual size: 206KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ