xworm | MicrosoftAccount[.]exe | Triage

Sharing

General

Target

MicrosoftAccount.exe
Size

69KB
MD5

60efdd9e1cf39dd0a3a7fbdeb6a2d391
SHA1

29dbc62cedd344c115047fcec30f83e81c6d794c
SHA256

5ad2e8363c51cc2392e5ea5c34fd426d585c118a1010cd034ccca53cb9aea8b0
SHA512

c070114f7bbc384b5362111a70f1a910ecbf08b909d9e7b4222c904c221a107494e38840f5bc443faee8822281c5d46d65c7970003b7b625e7d1488ce6d58b84
SSDEEP

1536:fl/VpCz5Iqc+28akCkj42kbOOhW8DS6qfRtFAO5ZPYC:fldN8ak9kbbI8ot2O5ZPx

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7703

147.185.221.25:7703

regarding-states.gl.at.ply.gg:7703

Attributes

Install_directory
%AppData%
install_file
ApplicationFrameHost.exe
telegram
https://api.telegram.org/bot6353034618:AAHzEkRGIc7NNoV5QuVXoAVVOMmU4ikzPYc/sendMessage?chat_id=1735841155

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
MicrosoftAccount.exe

Files

MicrosoftAccount.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 67KB - Virtual size: 66KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ