xworm | XClient21[.]exe | Triage

Sharing

General

Target

XClient21.exe
Size

65KB
MD5

1f0562410589065ddf2069df97270eb0
SHA1

8c96e3b03034a206e5fe6146cbfc08c425215a04
SHA256

0bc6914fa7a3303d3a3a3682c17402b1fa5a55f95b9f05b8e01b5cd7b589435f
SHA512

98e3cc133e91a0fb8c7d169abfc53d461fdb654d656cda7ff259fa88f918288f80f0ea4b2e185b861f211ec6b7246a82d3dccb52ba623ebc7ba0565339c5c59d
SSDEEP

1536:hdS7RGHg/yHtTyn/xb1h+bkCtFZ62yInODbOxI9Pm:fSWgKqxb1h+bkGyInODbOxIlm

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

teaching-ada.gl.at.ply.gg:30074

Attributes

Install_directory
%Temp%
install_file
svhost.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource yara_rule

sample family_xworm
Xworm family
xworm
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

XClient21.exe

Files

XClient21.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 62KB - Virtual size: 62KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ