XwormLoader[.]exe | Triage

Sharing

General

Target

XwormLoader.exe
Size

7.8MB
MD5

239e4c2d3e6553ad53ccc6172a6a11b8
SHA1

f7313274cc27c47ca78a476541e0e30e84c4dcbc
SHA256

fb05744e6285d0d7eaff70f7b303eb04ed24080af8c31e83b7da0bae16e2c216
SHA512

76cce7ec3788db10a1886a27b862f5203c0c8d4294b79efb4512442d8b817be3ea3fb9777e5bacff90e38f14c84a60e319cff23e028dbd9567f4913d94b137f3
SSDEEP

196608:7//b4C6XrL5HfZBEhl3xZi5OslC9+PWbXooVl41u1mMFsr3:7/yvRZBEP3xZi5Oso+PWbXooL4Sa3

Score

7^/10

Malware Config

Signatures

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
sample	net_reactor

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
XwormLoader.exe

Files

XwormLoader.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 7.7MB - Virtual size: 7.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 137KB - Virtual size: 137KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.reloc
.rsrc/0/GROUP_ICON/1
.rsrc/0/ICON/1
.png
.rsrc/0/ICON/2.ico
.rsrc/0/ICON/3.ico
.rsrc/0/ICON/4.ico
.rsrc/0/ICON/5.ico
.rsrc/0/ICON/6.ico
.rsrc/0/version.txt
.rsrc/1033/MANIFEST/1
.xml
.text