Behavioral task
behavioral1
Sample
e2a569f0f5168d11500b6e5f5c0ad0c900c45be7cbab68f0c354318123bf942f.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
e2a569f0f5168d11500b6e5f5c0ad0c900c45be7cbab68f0c354318123bf942f.exe
Resource
win10v2004-20240508-en
General
-
Target
3db7f780cfc50d086820b95947a61e59.bin
-
Size
151KB
-
MD5
9466513ea9b1deaed05b7029d44a1059
-
SHA1
b98f8084f4746dcf3f4110e6f338b7a53b957f37
-
SHA256
455c691649fb976fe7c7c1c816b97972c1826e3f053e483cdeaea9a839b05944
-
SHA512
b92901675aa996d0abaec798e6cd658d0d8c5d71a3e8fc2dc107c5c57ea307f5bb0748484116ead3fe4bb592f96d5f8e7492a2cae4626dc42fe6e8e23cdf4dc3
-
SSDEEP
3072:AUUU5RtcK6xi2xJ0sjWAXsmE5xIAyB4Wn7V8TpCOiFgLlNXIsn:tUgexrSRzHW7mQOGYTIu
Malware Config
Extracted
xworm
154.197.69.131:7005
-
Install_directory
%AppData%
-
install_file
crss.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule static1/unpack001/e2a569f0f5168d11500b6e5f5c0ad0c900c45be7cbab68f0c354318123bf942f.exe family_xworm -
Xworm family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource unpack001/e2a569f0f5168d11500b6e5f5c0ad0c900c45be7cbab68f0c354318123bf942f.exe
Files
-
3db7f780cfc50d086820b95947a61e59.bin.zip
Password: infected
-
e2a569f0f5168d11500b6e5f5c0ad0c900c45be7cbab68f0c354318123bf942f.exe.exe windows:4 windows x86 arch:x86
Password: infected
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 63KB - Virtual size: 62KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 166KB - Virtual size: 166KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ