xworm | smss[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

smss.exe
Size

64KB
MD5

93b46dc99bdafd738fdec90ec3a7b65c
SHA1

b6dfb90ec8f04aa026c35d4b368819d6b5649dc1
SHA256

f5cdf3d175cffdbbae859c3a1fd70051e6b14935a23eee0a12c1ca67ec065f45
SHA512

90b11817427967a7905ccaf328da01a91cf0165b58732ebc604f0c18bfe2c83289a16ec72f08c525cffca8b8986bcb6f763fd9b7c87195c057c79aa5d4e09af3
SSDEEP

1536:rA8t341Hy3emotRGJY+JCpM+pAcfVibmIytB9p1zrgbbLb2/ROWiTJ:lt34Y3erqkpzi5bmr1Xgbb/iROWiTJ

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

engine-regression.gl.at.ply.gg:34245

Attributes

Install_directory
%AppData%
install_file
smss.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
smss.exe

Files

smss.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 61KB - Virtual size: 61KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ