xworm | ProjectIDE[.]rar

Sharing

Copy URL

Twitter E-mail

General

Target

ProjectIDE.rar
Size

37KB
MD5

b3cd46ad413e807b8a5b55f6744041d7
SHA1

9cb238b40a12fc82782f1bcea8c6408c1af10ab3
SHA256

974b4e7a3b968754c1fc21f09425eacaefa74dc613c2d62a3a0972b6f8a0949e
SHA512

f57e7cc3411eb63e2d5d1bf712146d5167133486ac03da14f0c3dbbda89972d2d88854161ceddadffe38a30fad7e7d281306e0e2df0a9c1b9294c15bf5708125
SSDEEP

768:DUhGSSvkxDqcN8opGB76UrC1gCN2Ta8uSbjAFTBne/BU:D0GVsxDNKopGx4PNl7c8ZZe/+

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

RGMCdXJ9uBejLCdB

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
static1/unpack001/Project IDE fixed.exe	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Project IDE fixed.exe

Files

ProjectIDE.rar
.rar
API.dll
.dll windows:10 windows x64 arch:x64

Code Sign

33:00:00:02:cf:6d:2c:c5:7c:aa:65:a6:d8:00:00:00:00:02:cf
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/05/2019, 21:25

Not After

02/05/2020, 21:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

85:8e:c6:e6:fe:a3:6b:b0:c6:71:b8:2a:60:bd:60:97:3a:9f:4d:02:69:df:65:22:d5:68:81:c3:eb:9f:66:33
Signer

Actual PE Digest

85:8e:c6:e6:fe:a3:6b:b0:c6:71:b8:2a:60:bd:60:97:3a:9f:4d:02:69:df:65:22:d5:68:81:c3:eb:9f:66:33

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

api-ms-win-core-console-l1-1-0.pdb

Exports

Exports

AllocConsole
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetNumberOfConsoleInputEvents
PeekConsoleInputA
ReadConsoleA
ReadConsoleInputA
ReadConsoleInputW
ReadConsoleW
SetConsoleCtrlHandler
SetConsoleMode
WriteConsoleA
WriteConsoleW

Sections

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Project IDE fixed.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 30KB - Virtual size: 29KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Project.dll
.dll windows:5 windows x64 arch:x64

Code Sign

33:00:00:01:87:72:17:72:15:59:40:c7:09:00:00:00:00:01:87
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/03/2020, 18:39

Not After

03/03/2021, 18:39

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

d9:dc:58:2b:ca:99:92:39:b0:28:00:fe:60:18:94:f9:ba:d1:62:40:5d:18:c0:0b:90:f6:e9:a7:67:f6:19:48
Signer

Actual PE Digest

d9:dc:58:2b:ca:99:92:39:b0:28:00:fe:60:18:94:f9:ba:d1:62:40:5d:18:c0:0b:90:f6:e9:a7:67:f6:19:48

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

Accessibility.ni.pdb

Sections

.data
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
dashboard.dll
.dll windows:10 windows x64 arch:x64

Code Sign

33:00:00:02:cf:6d:2c:c5:7c:aa:65:a6:d8:00:00:00:00:02:cf
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/05/2019, 21:25

Not After

02/05/2020, 21:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

3c:6c:9a:43:c5:46:e8:85:a3:95:68:d4:eb:ee:b0:e9:f5:18:74:9b:9c:ad:8d:b3:97:59:48:80:6a:d6:c2:ce
Signer

Actual PE Digest

3c:6c:9a:43:c5:46:e8:85:a3:95:68:d4:eb:ee:b0:e9:f5:18:74:9b:9c:ad:8d:b3:97:59:48:80:6a:d6:c2:ce

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

api-ms-win-core-file-l2-1-0.pdb

Exports

Exports

CopyFile2
CopyFileExW
CreateDirectoryExW
CreateHardLinkW
CreateSymbolicLinkW
GetFileInformationByHandleEx
MoveFileExW
MoveFileWithProgressW
ReOpenFile
ReadDirectoryChangesW
ReplaceFileW

Sections

.rdata
Size: 1024B - Virtual size: 944B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Code Sign

33:00:00:02:cf:6d:2c:c5:7c:aa:65:a6:d8:00:00:00:00:02:cfCertificate

Extended Key Usages

61:0c:52:4c:00:00:00:00:00:03Certificate

Key Usages

85:8e:c6:e6:fe:a3:6b:b0:c6:71:b8:2a:60:bd:60:97:3a:9f:4d:02:69:df:65:22:d5:68:81:c3:eb:9f:66:33Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Exports

Exports

Sections

.rdata Size: 1KB - Virtual size: 1KB

.rsrc Size: 1024B - Virtual size: 1008B

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 30KB - Virtual size: 29KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

Code Sign

33:00:00:01:87:72:17:72:15:59:40:c7:09:00:00:00:00:01:87Certificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

d9:dc:58:2b:ca:99:92:39:b0:28:00:fe:60:18:94:f9:ba:d1:62:40:5d:18:c0:0b:90:f6:e9:a7:67:f6:19:48Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Sections

.data Size: 512B - Virtual size: 8B

.text Size: 9KB - Virtual size: 9KB

Code Sign

33:00:00:02:cf:6d:2c:c5:7c:aa:65:a6:d8:00:00:00:00:02:cfCertificate

Extended Key Usages

61:0c:52:4c:00:00:00:00:00:03Certificate

Key Usages

3c:6c:9a:43:c5:46:e8:85:a3:95:68:d4:eb:ee:b0:e9:f5:18:74:9b:9c:ad:8d:b3:97:59:48:80:6a:d6:c2:ceSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Exports

Exports

Sections

.rdata Size: 1024B - Virtual size: 944B

.rsrc Size: 1024B - Virtual size: 1008B

33:00:00:02:cf:6d:2c:c5:7c:aa:65:a6:d8:00:00:00:00:02:cf
Certificate

61:0c:52:4c:00:00:00:00:00:03
Certificate

85:8e:c6:e6:fe:a3:6b:b0:c6:71:b8:2a:60:bd:60:97:3a:9f:4d:02:69:df:65:22:d5:68:81:c3:eb:9f:66:33
Signer

.rdata
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 1008B

.text
Size: 30KB - Virtual size: 29KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

33:00:00:01:87:72:17:72:15:59:40:c7:09:00:00:00:00:01:87
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

d9:dc:58:2b:ca:99:92:39:b0:28:00:fe:60:18:94:f9:ba:d1:62:40:5d:18:c0:0b:90:f6:e9:a7:67:f6:19:48
Signer

.data
Size: 512B - Virtual size: 8B

.text
Size: 9KB - Virtual size: 9KB

33:00:00:02:cf:6d:2c:c5:7c:aa:65:a6:d8:00:00:00:00:02:cf
Certificate

61:0c:52:4c:00:00:00:00:00:03
Certificate

3c:6c:9a:43:c5:46:e8:85:a3:95:68:d4:eb:ee:b0:e9:f5:18:74:9b:9c:ad:8d:b3:97:59:48:80:6a:d6:c2:ce
Signer

.rdata
Size: 1024B - Virtual size: 944B

.rsrc
Size: 1024B - Virtual size: 1008B