xworm | Spotify[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Spotify.exe
Size

121KB
MD5

059bd3419b36e8c9c936cc76e6997677
SHA1

71dd80e4277930567615b6b1046027de77c30097
SHA256

402874946771a1e440f01f33961b1ea0fbb4062e6759c3865bf250b94d568499
SHA512

341ea6deb5adc5290818cc02ffaaa24e4aca79e5073595cdefd4d453b61c3cea7edacd9686da5d015c676f025cdd71b773fc57a626225b068ece844d9aaab112
SSDEEP

768:uFXC6fTko1uB8g2fGPQ+6PTnPakb9A9vC8yNDOhhkmKs1lKaoHoTFz:uFXTk70ykb9A7cOhyruKcz

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:4140

147.185.221.21:4140

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7941260471:AAEv-kCBGyS_dIDa29v5SvpVyZtfpkAHfyE/sendMessage?chat_id=6323688757

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Spotify.exe

Files

Spotify.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 52KB - Virtual size: 52KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 68KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ