xworm | susp[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

susp.exe
Size

162KB
MD5

46b98043b891a61b9976ed55ea9cc32f
SHA1

bdbcfed17635f2c9683a33bca637c9464dffd6ee
SHA256

ba9bfee59bacaefca8eb6560a64bab8eacee7ce7d8fcbbb5257749795c1a1d89
SHA512

4a2e44eb68e52f756a38960d139b5b838876d7d5282e893c94285874b1910b59077087f5774ee9a39b0daa3d45759dffc83bf4b0c1dee1fcc8c78e0f88bf3432
SSDEEP

1536:Q1tCUGqI5Lrqnau5a5bPiqbgZIOYlLBYfpysa7iAMJ:Q1tCUcuE5bPitOOYdBYfpYuAm

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

10.40.30.210:7000

Attributes

Install_directory
%ProgramData%
install_file
Teams.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
susp.exe

Files

susp.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 53KB - Virtual size: 52KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 108KB - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ