xworm | XClient[.]exe | Triage

Sharing

General

Target

XClient.exe
Size

167KB
MD5

a7df6dfed10d54c4a59828be8ce7bd71
SHA1

e5075061df638bf627e98c2ffb8dde99ce1d6ff7
SHA256

9239e706f06a5a88aec93df74a88b934fd403c18b9c63a0abd32c43cba11399f
SHA512

eb20afca81a58e769e8cebce8ed7548802e52abc90bc31d63a57e9ea9ddb4311ceb6e5f0418eb62e0d2e2e5de64f368dd4328d702c61c5bcc4b20f17da844dc2
SSDEEP

3072:zZn1arYF49IMOwgRUGKXs+S++7KFSbxeY+qDDrMK:NAri49LGqStKEbxI

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

tTl1Y5wGzkYBSyRY

Attributes

Install_directory
%ProgramData%
install_file
gamesamse.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
XClient.exe

Files

XClient.exe
.exe windows:4 windows x86 arch:x86

Password: 123

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 127KB - Virtual size: 127KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ