xworm | a805c895c507a30f12e39e04f55a7bf1[.]bin | Triage

Sharing

Copy URL Twitter E-mail

General

Target

a805c895c507a30f12e39e04f55a7bf1.bin
Size

59KB
MD5

6546358cd4039f87a7e20ac05ff60881
SHA1

42eee015c88237e17cf3fe804c4d563116798de2
SHA256

8afd3d09c60a88fd6e8b43cc017a90a9d0e60852dfd0f22b0034e4d610716dca
SHA512

5e67ca26ffae84ce3b0a56effe4a9a977dcf26170c8acbc019015fb0e6c207dd014e87130126e810b7490f1b2f53e21a415487d78fe9ffb1af2c4094e0256c9e
SSDEEP

1536:ET9T75bP9YeeEb4fUXU2D3HMFsWTUI1JI2WsVF:ETd75b2k4f6U4HesUUYrWsP

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:1234

143.198.208.124:1234

Attributes

Install_directory
%Temp%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
static1/unpack001/1f002be3e2c89853aab023bcfac564bf6a2f0fe4d3ff936444594964413b6fba.exe	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/1f002be3e2c89853aab023bcfac564bf6a2f0fe4d3ff936444594964413b6fba.exe

Files

a805c895c507a30f12e39e04f55a7bf1.bin
.zip

Password: infected
1f002be3e2c89853aab023bcfac564bf6a2f0fe4d3ff936444594964413b6fba.exe
.exe windows:4 windows x86 arch:x86

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 70KB - Virtual size: 70KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 99KB - Virtual size: 98KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ