xworm | ASASQSQ[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

ASASQSQ.exe
Size

1.7MB
MD5

1f583cdad39718a3bbb8b25b44ec2ce1
SHA1

fcf80c45499f3f42506e3bbc1cadd4103380b8db
SHA256

0d2e82ca0d95d0ccca529f976f6334bd623a0dbad25be79a3127521e5816fe94
SHA512

91dbcc3dbb43e64d02392a67c1d9fa80b7aafd1c4759b78fb6dbd3f55940c7dc05c00d0091b070c17400ce3a78c3fd3f3ef579604d0c2d5bed39d476bb7f9f57
SSDEEP

49152:qjQ3JroNE7cZchtwBqN9smtUI1293vaRSO3:qcwE7ichtMY9suUIyQf

Score

10^/10

xworm

Malware Config

Extracted

Family

xworm

147.185.221.26:38655

Attributes

Install_directory
%AppData%
install_file
♬ ♬.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
static1/unpack001/XClient.exe	family_xworm

Xworm family
xworm

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
ASASQSQ.exe
unpack001/XClient.exe
unpack001/es^p Supreme V1.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
sample	nsis_installer_1
sample	nsis_installer_2

Files

ASASQSQ.exe
.exe windows:4 windows x86 arch:x86

29b61e5a552b3a9bc00953de1c93be41

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetFileAttributesA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CompareFileTime
SearchPathA
Sleep
GetTickCount
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
CreateDirectoryA
lstrcmpiA
GetCommandLineA
GetVersion
SetErrorMode
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
CreateFileA
GetTempFileNameA
lstrlenA
lstrcatA
GetSystemDirectoryA
LoadLibraryA
SetFileTime
CloseHandle
GlobalFree
lstrcmpA
ExpandEnvironmentStringsA
GetExitCodeProcess
GlobalAlloc
WaitForSingleObject
GetWindowsDirectoryA
GetTempPathA
GetProcAddress
FindFirstFileA
FindNextFileA
DeleteFileA
SetFilePointer
ReadFile
FindClose
GetPrivateProfileStringA
WritePrivateProfileStringA
WriteFile
MulDiv
LoadLibraryExA
GetModuleHandleA
MultiByteToWideChar
FreeLibrary

user32

GetWindowRect
EnableMenuItem
GetSystemMenu
ScreenToClient
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetForegroundWindow
PostQuitMessage
RegisterClassA
EndDialog
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
ExitWindowsEx
DestroyWindow
OpenClipboard
TrackPopupMenu
SendMessageTimeoutA
GetDC
LoadImageA
GetDlgItem
FindWindowExA
IsWindow
SetClipboardData
SetWindowLongA
EmptyClipboard
SetTimer
CreateDialogParamA
wsprintfA
ShowWindow
SetWindowTextA

gdi32

SelectObject
SetBkMode
CreateFontIndirectA
SetTextColor
DeleteObject
GetDeviceCaps
CreateBrushIndirect
SetBkColor

shell32

SHGetSpecialFolderLocation
SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA

advapi32

RegDeleteValueA
SetFileSecurityA
RegOpenKeyExA
RegDeleteKeyA
RegEnumValueA
RegCloseKey
RegCreateKeyExA
RegSetValueExA
RegQueryValueExA
RegEnumKeyA

comctl32

ImageList_Create
ImageList_Destroy
ord17
ImageList_AddMasked

ole32

OleUninitialize
OleInitialize
CoTaskMemFree
CoCreateInstance

Sections

.text
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 151KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 32KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 150KB - Virtual size: 150KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
XClient.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 81KB - Virtual size: 80KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 128KB - Virtual size: 127KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
es^p Supreme V1.exe
.exe windows:6 windows x64 arch:x64

fdef6d09fdf0a275c8872bbde18234f3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Esp Engine is here\Desktop\ImGuis\Xereca Supreme\examples\Exe\Xereca Supreme V1.pdb

Imports

d3dx11_43

D3DX11CreateShaderResourceViewFromMemory

d3d11

D3D11CreateDeviceAndSwapChain

d3dcompiler_43

D3DCompile

ole32

CoInitialize
CoUninitialize
CoCreateInstance

kernel32

GetFileInformationByHandleEx
SetFileInformationByHandle
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
GetFileAttributesExW
SleepConditionVariableSRW
GetCurrentThreadId
WakeAllConditionVariable
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetStartupInfoW
GetCurrentProcessId
GetSystemTimeAsFileTime
InitializeSListHead
OutputDebugStringW
VerSetConditionMask
GetProcAddress
QueryPerformanceFrequency
LoadLibraryA
GetModuleHandleA
IsDebuggerPresent
AllocConsole
GetTickCount
VirtualFreeEx
CreateRemoteThread
FreeLibrary
WinExec
ReadProcessMemory
VirtualAllocEx
Beep
GetThreadContext
GlobalUnlock
WideCharToMultiByte
GlobalLock
VirtualProtectEx
CreateThread
AreFileApisANSI
FindFirstFileW
FindClose
GetLocaleInfoEx
GetFileSizeEx
CreateFileA
WaitForMultipleObjects
PeekNamedPipe
ReadFile
GetFileType
GetStdHandle
GetEnvironmentVariableA
WaitForSingleObjectEx
MoveFileExA
VerifyVersionInfoA
GetSystemDirectoryA
SleepEx
LeaveCriticalSection
EnterCriticalSection
LocalFree
FormatMessageA
SetLastError
QueryFullProcessImageNameW
GetModuleHandleW
GetModuleFileNameA
UnmapViewOfFile
MapViewOfFile
CloseHandle
Process32Next
GetCurrentThread
GetLastError
Sleep
CreateToolhelp32Snapshot
OpenProcess
ReleaseMutex
WaitForSingleObject
CreateMutexA
TerminateProcess
VirtualAlloc
OutputDebugStringA
GetCurrentProcess
WriteProcessMemory
Process32First
CreateFileMappingW
GlobalFree
GlobalAlloc
MultiByteToWideChar
GetProcessHeap
CreateFileW
CheckRemoteDebuggerPresent
GetSystemInfo
InitializeCriticalSectionEx
DeleteCriticalSection
VirtualProtect
HeapDestroy
QueryPerformanceCounter
VirtualQueryEx
HeapAlloc
HeapReAlloc
HeapFree
HeapSize

user32

SetCursorPos
ReleaseCapture
IsWindowUnicode
GetClientRect
GetCursorPos
CloseClipboard
GetForegroundWindow
TrackMouseEvent
EmptyClipboard
GetClipboardData
SetClipboardData
SetCursor
DispatchMessageA
GetWindowRect
DestroyWindow
SetWindowRgn
CreateWindowExW
GetSystemMetrics
OpenClipboard
SetCapture
LoadCursorA
GetKeyState
ClientToScreen
UpdateWindow
FindWindowA
PostQuitMessage
PeekMessageA
LoadIconA
TranslateMessage
SetLayeredWindowAttributes
DefWindowProcA
MoveWindow
MessageBoxA
SetWindowDisplayAffinity
GetWindowLongA
SetWindowLongA
GetAsyncKeyState
GetCapture
ScreenToClient
UnregisterClassW
RegisterClassExW
GetActiveWindow
ShowWindow

gdi32

CreateRoundRectRgn

advapi32

AddAccessAllowedAce
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptDestroyKey
CryptImportKey
CryptEncrypt
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
ConvertSidToStringSidA
CopySid
SetSecurityInfo
OpenProcessToken
IsValidSid
InitializeAcl
GetTokenInformation
GetLengthSid
CryptGenRandom

msvcp140

?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Xlength_error@std@@YAXPEBD@Z
_Query_perf_frequency
?_Throw_Cpp_error@std@@YAXH@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?uncaught_exception@std@@YA_NXZ
?_Xout_of_range@std@@YAXPEBD@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Winerror_map@std@@YAHH@Z
?_Syserror_map@std@@YAPEBDH@Z
_Cnd_do_broadcast_at_thread_exit
_Query_perf_counter
_Thrd_detach
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?_Xbad_function_call@std@@YAXXZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?good@ios_base@std@@QEBA_NXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z

imm32

ImmSetCompositionWindow
ImmSetCandidateWindow
ImmReleaseContext
ImmGetContext

dwmapi

DwmExtendFrameIntoClientArea

ntdll

ZwProtectVirtualMemory
RtlAdjustPrivilege
RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry
ZwWriteVirtualMemory
NtRaiseHardError
ZwReadVirtualMemory

urlmon

URLDownloadToFileA

shlwapi

PathFileExistsA

normaliz

IdnToAscii

wldap32

ord143
ord217
ord46
ord211
ord60
ord45
ord50
ord41
ord22
ord26
ord27
ord32
ord33
ord35
ord79
ord30
ord200
ord301

crypt32

CryptQueryObject
CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
PFXImportCertStore
CryptDecodeObjectEx
CertAddCertificateContextToStore
CertFindExtension
CertGetNameStringA
CertFreeCertificateChain
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain

ws2_32

WSAIoctl
closesocket
recv
send
WSAGetLastError
bind
connect
getpeername
getsockname
getsockopt
htons
ntohs
setsockopt
socket
WSASetLastError
freeaddrinfo
WSAStartup
WSACleanup
ntohl
gethostname
accept
sendto
htonl
recvfrom
listen
getaddrinfo
select
__WSAFDIsSet
ioctlsocket

psapi

GetModuleInformation

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__current_exception
strrchr
memset
memmove
memcpy
__C_specific_handler
memchr
_CxxThrowException
strchr
__std_terminate
__std_exception_copy
__std_exception_destroy
__current_exception_context
memcmp
strstr

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsprintf
fwrite
_lseeki64
fread
fclose
__stdio_common_vsscanf
_set_fmode
feof
__p__commode
fputs
fopen
fputc
__acrt_iob_func
fflush
_read
_write
_close
_open
_pclose
fgets
__stdio_common_vfprintf
ftell
fseek
_wfopen
_popen

api-ms-win-crt-utility-l1-1-0

rand
qsort

api-ms-win-crt-string-l1-1-0

_strdup
strncmp
strncpy
tolower
strpbrk
strcmp
strcspn
strspn
isupper

api-ms-win-crt-heap-l1-1-0

free
_callnewh
calloc
_set_new_mode
_msize
realloc
malloc

api-ms-win-crt-runtime-l1-1-0

_beginthreadex
terminate
_configure_narrow_argv
_errno
exit
strerror
__sys_nerr
_invalid_parameter_noinfo
_resetstkoflw
_invalid_parameter_noinfo_noreturn
_register_thread_local_exe_atexit_callback
_c_exit
_wassert
_exit
_initterm_e
_initterm
_get_narrow_winmain_command_line
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
system
abort
_getpid

api-ms-win-crt-convert-l1-1-0

strtol
strtoll
strtoull
strtod
strtoul
atoi

api-ms-win-crt-multibyte-l1-1-0

_mbsicmp

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-locale-l1-1-0

localeconv
_configthreadlocale
___lc_codepage_func

api-ms-win-crt-math-l1-1-0

__setusermatherr
atan2f
acosf
ceilf
cosf
_dclass
fmodf
powf
sinf
sqrtf

api-ms-win-crt-time-l1-1-0

_gmtime64
_time64

api-ms-win-crt-filesystem-l1-1-0

_fstat64
_stat64
_unlink
_access

Sections

.text
Size: 821KB - Virtual size: 821KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 201KB - Virtual size: 201KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 859KB - Virtual size: 870KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 568KB - Virtual size: 572KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Extracted

Signatures

Files

29b61e5a552b3a9bc00953de1c93be41

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

Sections

.text Size: 24KB - Virtual size: 23KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 1KB - Virtual size: 151KB

.ndata Size: - Virtual size: 32KB

.rsrc Size: 150KB - Virtual size: 150KB

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 81KB - Virtual size: 80KB

.rsrc Size: 128KB - Virtual size: 127KB

.reloc Size: 512B - Virtual size: 12B

fdef6d09fdf0a275c8872bbde18234f3

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

d3dx11_43

d3d11

d3dcompiler_43

ole32

kernel32

user32

gdi32

advapi32

msvcp140

imm32

dwmapi

ntdll

urlmon

shlwapi

normaliz

wldap32

crypt32

ws2_32

psapi

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-multibyte-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

Sections

.text Size: 821KB - Virtual size: 821KB

.rdata Size: 201KB - Virtual size: 201KB

.data Size: 859KB - Virtual size: 870KB

.pdata Size: 32KB - Virtual size: 32KB

.rsrc Size: 512B - Virtual size: 480B

.text
Size: 24KB - Virtual size: 23KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 1KB - Virtual size: 151KB

.ndata
Size: - Virtual size: 32KB

.rsrc
Size: 150KB - Virtual size: 150KB

.text
Size: 81KB - Virtual size: 80KB

.rsrc
Size: 128KB - Virtual size: 127KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 821KB - Virtual size: 821KB

.rdata
Size: 201KB - Virtual size: 201KB

.data
Size: 859KB - Virtual size: 870KB

.pdata
Size: 32KB - Virtual size: 32KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 568KB - Virtual size: 572KB