xworm | 3451c30e61ca3e7894c37f843249f0b202aa96d9fabd40cca08d70c10b650ebe[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

3451c30e61ca3e7894c37f843249f0b202aa96d9fabd40cca08d70c10b650ebe.zip
Size

779KB
MD5

81062e899f2d58ae78dc74e3ad1c7d0f
SHA1

30e26b3ec28530f7f35accc7e8a6e6838f3c0172
SHA256

3451c30e61ca3e7894c37f843249f0b202aa96d9fabd40cca08d70c10b650ebe
SHA512

30c4cc8535054ed7da2cd100ff5a8d03879c44e4755573b442bbe416a695a5598a1f20c6a5d7cb0f6374b0b710527a51799ca110ef41d6e4e54d042c0bbc21a5
SSDEEP

12288:ebt6BwiS/BMPfgCc2UDC5mykizg+6PGgySVGhSVr2kzYvfr4K2FFHrvYcpJ:0t6yimBMPfD9UfWw8SOKStkTLAiJ

Score

10^/10

xworm

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
static1/unpack001/main-main/RuntimeBroker.exe	family_xworm

Xworm family
xworm

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/main-main/RuntimeBroker.exe
unpack001/main-main/td.exe
unpack001/main-main/tdservices.exe

Files

3451c30e61ca3e7894c37f843249f0b202aa96d9fabd40cca08d70c10b650ebe.zip
.zip
main-main/RuntimeBroker.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 394KB - Virtual size: 393KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
main-main/msconfig.txt
main-main/td.exe
.exe windows:4 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\ZeRysX\source\repos\XD\Persistence\obj\x64\Debug\Persistence.pdb

Sections

.text
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
main-main/tdservices.exe
.exe windows:6 windows x64 arch:x64

6f181bbb9b68fced5b0aaae00cf24483

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\TD-Files\TD\FiveM\FiveM Premium 4\tyhlu\x64\Build\Tyhlu-external.pdb

Imports

kernel32

EnterCriticalSection
LeaveCriticalSection
SleepEx
GetSystemDirectoryA
VerifyVersionInfoA
GetTickCount
MoveFileExA
WaitForSingleObjectEx
GetEnvironmentVariableA
GetFileType
ReadFile
PeekNamedPipe
WaitForMultipleObjects
CreateFileA
GetFileSizeEx
GetLocaleInfoEx
FindClose
FindFirstFileExW
FindNextFileW
Module32FirstW
SetFileInformationByHandle
FormatMessageA
GetModuleHandleW
GetModuleFileNameA
AreFileApisANSI
GetFileInformationByHandleEx
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
OutputDebugStringW
GetLastError
OpenProcess
GetStdHandle
SetConsoleTextAttribute
SetLastError
GetCurrentProcess
DeleteCriticalSection
InitializeCriticalSectionEx
GetProcessHeap
HeapSize
WideCharToMultiByte
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
CreateDirectoryA
QueryPerformanceCounter
FreeLibrary
VerSetConditionMask
GetProcAddress
QueryPerformanceFrequency
LoadLibraryA
GetModuleHandleA
GlobalUnlock
GlobalLock
LocalFree
GlobalFree
GlobalAlloc
MultiByteToWideChar
Module32NextW
Beep
CloseHandle
WriteProcessMemory
Process32FirstW
GetCurrentThread
Process32NextW
CreateToolhelp32Snapshot
SetConsoleTitleA
ReadProcessMemory
Sleep
CreateFileW

user32

GetWindowThreadProcessId
EnumWindows
SetWindowLongA
GetClipboardData
EmptyClipboard
CloseClipboard
OpenClipboard
GetCursorPos
SetCursorPos
ReleaseCapture
FindWindowW
FindWindowA
GetKeyState
RegisterClassExA
GetDesktopWindow
GetAsyncKeyState
LoadIconW
TranslateMessage
SetLayeredWindowAttributes
CreateWindowExA
DefWindowProcA
MoveWindow
SetWindowDisplayAffinity
PeekMessageW
DispatchMessageW
ShowWindow
SetWindowPos
DestroyWindow
GetWindowRect
GetWindow
GetWindowLongW
SetClipboardData
GetSystemMetrics
GetClientRect
SetCursor
SetCapture
LoadCursorW
GetForegroundWindow
TrackMouseEvent
ClientToScreen
GetCapture
ScreenToClient
mouse_event
SendInput
SetWindowLongW

shell32

ShellExecuteW

msvcp140

?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?_Winerror_map@std@@YAHH@Z
?_Syserror_map@std@@YAPEBDH@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??Bios_base@std@@QEBA_NXZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?_Xbad_alloc@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
_Query_perf_frequency
?_Throw_Cpp_error@std@@YAXH@Z
_Cnd_do_broadcast_at_thread_exit
_Thrd_sleep
_Thrd_id
_Query_perf_counter
_Thrd_detach
_Xtime_get_ticks
_Thrd_join
?_Xout_of_range@std@@YAXPEBD@Z
?_Random_device@std@@YAIXZ
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?uncaught_exception@std@@YA_NXZ
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Xbad_function_call@std@@YAXXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$ctype@D@std@@2V0locale@2@A
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ

d3d9

Direct3DCreate9Ex

d3dx9_43

D3DXMatrixTranspose
D3DXVec3Transform

dwmapi

DwmExtendFrameIntoClientArea

imm32

ImmSetCandidateWindow
ImmSetCompositionWindow
ImmGetContext
ImmReleaseContext

normaliz

IdnToAscii

wldap32

ord301
ord200
ord30
ord143
ord217
ord33
ord211
ord60
ord45
ord50
ord41
ord22
ord26
ord27
ord46
ord32
ord35
ord79

crypt32

CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertFreeCertificateChain
CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
PFXImportCertStore
CryptDecodeObjectEx
CertAddCertificateContextToStore
CertFindExtension
CertGetNameStringA
CertGetCertificateChain

ws2_32

closesocket
recv
send
WSAGetLastError
bind
connect
getpeername
getsockname
getsockopt
htons
ntohs
setsockopt
socket
WSASetLastError
WSAIoctl
WSAStartup
WSACleanup
accept
ntohl
gethostname
sendto
recvfrom
freeaddrinfo
getaddrinfo
select
__WSAFDIsSet
ioctlsocket
listen
htonl

rpcrt4

UuidCreate
UuidToStringA
RpcStringFreeA

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_exception_destroy
__std_exception_copy
__std_terminate
strstr
_CxxThrowException
memchr
memcmp
memcpy
memmove
memset
strchr
strrchr
__C_specific_handler
__current_exception
__current_exception_context

api-ms-win-crt-heap-l1-1-0

malloc
free
_set_new_mode
_callnewh
calloc
realloc

api-ms-win-crt-utility-l1-1-0

rand
srand
qsort

api-ms-win-crt-runtime-l1-1-0

_beginthreadex
_getpid
_invalid_parameter_noinfo_noreturn
system
terminate
abort
_configure_narrow_argv
_initialize_onexit_table
_register_onexit_function
exit
_register_thread_local_exe_atexit_callback
_resetstkoflw
_c_exit
_invalid_parameter_noinfo
__p___argv
__sys_nerr
strerror
__p___argc
_exit
_errno
_initterm_e
_initterm
_get_initial_narrow_environment
_set_app_type
_crt_atexit
_seh_filter_exe
_cexit
_initialize_narrow_environment

api-ms-win-crt-time-l1-1-0

_gmtime64
_time64

api-ms-win-crt-stdio-l1-1-0

_set_fmode
fread_s
__stdio_common_vsscanf
_wfopen
__p__commode
_read
_write
__stdio_common_vfprintf
fseek
__acrt_iob_func
ftell
_get_stream_buffer_pointers
_fseeki64
fread
fgets
fsetpos
ungetc
setvbuf
fgetpos
_pclose
__stdio_common_vsprintf
_popen
fwrite
_close
fopen
fputs
fgetc
feof
_open
fclose
__stdio_common_vsprintf_s
fflush
fopen_s
_lseeki64
fputc

api-ms-win-crt-math-l1-1-0

ceilf
cosf
fmodf
acosf
_hypotf
sinf
_dclass
__setusermatherr
roundf
_dsign
pow
sqrtf

api-ms-win-crt-string-l1-1-0

strcmp
tolower
strcspn
strncmp
strspn
isupper
strncpy
_wcsicmp
_strdup
strpbrk

api-ms-win-crt-convert-l1-1-0

atoi
strtod
atof
strtol
strtoul
strtoull
strtoll

api-ms-win-crt-conio-l1-1-0

_getch

api-ms-win-crt-filesystem-l1-1-0

_stat64
_mkdir
_lock_file
_fstat64
_unlock_file
_access
_unlink

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
localeconv
_configthreadlocale

advapi32

CryptGetHashParam
CryptEncrypt
CryptImportKey
CryptDestroyKey
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGenRandom
CryptReleaseContext
CryptAcquireContextA
ConvertSidToStringSidA
IsValidSid
GetTokenInformation
GetLengthSid
CopySid
OpenProcessToken

Sections

.text
Size: 862KB - Virtual size: 861KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 171KB - Virtual size: 170KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 102KB - Virtual size: 110KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 33KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 394KB - Virtual size: 393KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

Headers

DLL Characteristics

File Characteristics

PDB Paths

Sections

.text Size: 8KB - Virtual size: 8KB

.rsrc Size: 1KB - Virtual size: 1KB

6f181bbb9b68fced5b0aaae00cf24483

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

shell32

msvcp140

d3d9

d3dx9_43

dwmapi

imm32

normaliz

wldap32

crypt32

ws2_32

rpcrt4

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-conio-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

advapi32

Sections

.text Size: 862KB - Virtual size: 861KB

.rdata Size: 171KB - Virtual size: 170KB

.data Size: 102KB - Virtual size: 110KB

.pdata Size: 33KB - Virtual size: 33KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 2KB - Virtual size: 2KB

.text
Size: 394KB - Virtual size: 393KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 8KB - Virtual size: 8KB

.rsrc
Size: 1KB - Virtual size: 1KB

.text
Size: 862KB - Virtual size: 861KB

.rdata
Size: 171KB - Virtual size: 170KB

.data
Size: 102KB - Virtual size: 110KB

.pdata
Size: 33KB - Virtual size: 33KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 2KB - Virtual size: 2KB