xworm | spoof test[.]7z

Resubmissions

04-12-2024 22:25

241204-2b8m1szpej 10

04-12-2024 22:22

241204-2adq9aznfm 10

Sharing

Copy URL

Twitter E-mail

General

Target

spoof test.7z
Size

50KB
MD5

2b80931dfec2265ac0357414e27497f4
SHA1

d7bfec86f61e214a8b43fcdcaaf82bda5e88557a
SHA256

9f83ee8c3f2263e2400f1dc667c58520a846d81b12e8d15f62e4dfeba4389b3b
SHA512

cb9443487acf4de4a33deb781ef206533cf5b4095671f08dd2b5607f388a82be8478b4db86b5ceaebb6f1dcd6958cd2d09399a0acea04ecb6d9368fb94cda203
SSDEEP

768:AH1u19IsbaKCa8fll6kehelKR8e1vmrnwJU2O3QLp5OYgtf8aGZqfTn:AVuXIsqaSlRehZRBF+/pip/glOcTn

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

database-recommendations.gl.at.ply.gg:17666

Attributes

Install_directory
%AppData%
install_file
System User.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
static1/unpack001/mapper.exe	family_xworm

Xworm family
xworm

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/DiskHandler.sys
unpack001/SMBiosHandler.sys
unpack001/mapper.exe

Files

spoof test.7z
.7z

Password: discord.gg/vixen
DiskHandler.sys
.sys windows:10 windows x64 arch:x64

5700fe089c5ee27b6d2a21d3dc70ffb5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\conspiracy\Downloads\CatSigma\CatSigmaPaste\x64\Release\Kernel.pdb

Imports

ntoskrnl.exe

wcsstr
RtlInitUnicodeString
DbgPrintEx
KeInitializeEvent
KeWaitForSingleObject
ExAllocatePoolWithTag
ExFreePoolWithTag
MmMapLockedPages
IoBuildDeviceIoControlRequest
IofCallDriver
IoGetAttachedDeviceReference
IoGetDeviceObjectPointer
ObfDereferenceObject
RtlRandomEx
IoEnumerateDeviceObjectList
ObQueryNameString
swprintf
ObReferenceObjectByName
IoDriverObjectType
tolower
strstr
MmCopyMemory
ZwQuerySystemInformation

Sections

.text
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 276B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 1024B - Virtual size: 722B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
SMBiosHandler.sys
.sys windows:10 windows x64 arch:x64

54cc18583836740829cf45d883ba72a7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\conspiracy\Downloads\WooferPaste\WooferPaste\build\bin\not-a-paste-trust.pdb

Imports

ntoskrnl.exe

RtlInitString
RtlInitUnicodeString
ExAllocatePoolWithTag
ExFreePoolWithTag
IoGetDeviceObjectPointer
_vsnwprintf
vDbgPrintExWithPrefix
KeQueryTimeIncrement
MmMapIoSpace
MmUnmapIoSpace
RtlRandomEx
strstr
ZwQuerySystemInformation

Sections

.text
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 240B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 512B - Virtual size: 426B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
mapper.exe
.exe windows:4 windows x86 arch:x86

Password: discord.gg/vixen

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 75KB - Virtual size: 75KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
mapshit.bat

Resubmissions

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: discord.gg/vixen

5700fe089c5ee27b6d2a21d3dc70ffb5

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

Sections

.text Size: 9KB - Virtual size: 8KB

.rdata Size: 1024B - Virtual size: 1024B

.data Size: 512B - Virtual size: 12KB

.pdata Size: 512B - Virtual size: 276B

INIT Size: 1024B - Virtual size: 722B

54cc18583836740829cf45d883ba72a7

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

Sections

.text Size: 6KB - Virtual size: 5KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 512B - Virtual size: 8KB

.pdata Size: 512B - Virtual size: 240B

INIT Size: 512B - Virtual size: 426B

Password: discord.gg/vixen

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 75KB - Virtual size: 75KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

.text
Size: 9KB - Virtual size: 8KB

.rdata
Size: 1024B - Virtual size: 1024B

.data
Size: 512B - Virtual size: 12KB

.pdata
Size: 512B - Virtual size: 276B

INIT
Size: 1024B - Virtual size: 722B

.text
Size: 6KB - Virtual size: 5KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 8KB

.pdata
Size: 512B - Virtual size: 240B

INIT
Size: 512B - Virtual size: 426B

.text
Size: 75KB - Virtual size: 75KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B