xworm | xyi[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

xyi.exe
Size

90KB
MD5

510ef78138642a4ddd11142f45c565e4
SHA1

1bd0771b57bae27ba9ab7b7080c0a0874cc657c3
SHA256

b1f75d88a3e517b4bcfee253f6d936f1cac4bdcca19e33a0d17ef0d446d50955
SHA512

757bf8ff0cb1c0710d0c765b94fc3f096d1413a7b064a0af57181ad6e83ca7d4371a141c0998c543eed201c202a0dcd5cf5f1e9698262a1d63674bd44e327c5e
SSDEEP

1536:Hbr01SX0CIy1ChLfcy5stFU/kLbzY+X6R6yj/QilnATRO6HT/Nd7M:/0VCuDH+bzYJvLLlnKRO6z//M

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:8848

localhost:8848

institute-springer.gl.at.ply.gg:8848

Attributes

Install_directory
%AppData%
install_file
OperaGX.exe
telegram
https://api.telegram.org/bot6665745685:AAHzcJQwrpeYgngUPNuJpP07kl6hombfDj8

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
xyi.exe

Files

xyi.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 87KB - Virtual size: 87KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ