xworm | XClient[.]bat | Triage

Sharing

General

Target

XClient.bat
Size

336KB
MD5

5fcc047b04b088650ffab33ab0d3a991
SHA1

310de3660d360e55e02aeabc2bb96fe1a00fbeb1
SHA256

227dbbb256d5236819196deda5707bc6abd1df5ba9a483edf82443ad12f26930
SHA512

5bc2803bb1fbcd18b33f7c23120fa144cb29c07376c40622f20d69386932bbf82e8160ec7ec11c781a0624a875ee198369c7b2cf8b2464986054d7c5d94c4cf4
SSDEEP

6144:gv9QxBt25x/5bTgVziHzZnSKrCbYM+2ba8Mq:NxBt8/5/gVziHlBrCbYP85

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

Version

5.0

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
sample	family_xworm

Xworm family
xworm

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
XClient.bat

Files

XClient.bat
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 330KB - Virtual size: 330KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ