58c96d14b75d1118fdd0a090440ee257

PE Executable
|
MD5: 58c96d14b75d1118fdd0a090440ee257
|
Size: 33.79 KB
|
application/x-dosexec

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	58c96d14b75d1118fdd0a090440ee257
Sha1	274e0792ccccfcee809aedf0fa1abed9d3e5588f
Sha256	68b20156f91380f18d34a84d51f7be308c494edebf353462331b3eb2212cd953
Sha384	1acb0d860c7d169b4424f3940ad1499dcbe56cb4da4bea2b7214f6fda9aff52916b70d49667d22d5f8749c8aad594078
Sha512	eed67c853e89014c67f683498ccd515d8a3f6bd08f0d4aadeac6687eed71ee99aa33ddefe4281f11632d3d9d0e08d6699b5b80957a2a31a6e794cf9ebce1fa81
SSDeep	384:CPaJByq2WqO1Hk/xMxXZduPLOX2L9oTvh0FbOKTCOQm5RApkFTBLTAOZwpGd2v9J:hBMYvL9C2TvGFbO75m5VFo9jHOjh8bF
TLSH	6CE24B4877A08312D5FEAFF02AF2710A5274E51B9D13EB4E0CD48A963B639C246507EA

PeID

.NET executable

Microsoft Visual C# / Basic .NET

Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL

Microsoft Visual C# v7.0 / Basic .NET

Microsoft Visual Studio .NET

File Structure

Malware Configuration - XWorm config.

Config. Field0	Value
Mutex	DdCnS0r7XeweSruQ
Hosts	dsayankeefootball.duckdns.org,transamadocollections.duckdns.org,forsizillenazzlle.duckdns.org
Port	8281
KEY	<42000218>
USBNM	<Xwormmm>
family	xworm

Informations

Name0	Value
Info	PE Detect: PeReader OK (file layout)
Module Name	XWormClient.exe
Full Name	XWormClient.exe
EntryPoint	System.Void Stub.Main::Main()
Scope Name	XWormClient.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	XWormClient
Assembly Version	1.0.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	<null>
Total Strings	157
Main Method	System.Void Stub.Main::Main()
Main IL Instruction Count	58
Main IL	ldsfld System.Int32 Settings::Sleep ldc.i4 1000 mul.ovf <null> call System.Void System.Threading.Thread::Sleep(System.Int32) ldsfld System.String Settings::Hosts call System.Object Stub.AlgorithmAES::Decrypt(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String Settings::Hosts ldsfld System.String Settings::Port call System.Object Stub.AlgorithmAES::Decrypt(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String Settings::Port ldsfld System.String Settings::KEY call System.Object Stub.AlgorithmAES::Decrypt(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String Settings::KEY ldsfld System.String Settings::SPL call System.Object Stub.AlgorithmAES::Decrypt(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String Settings::SPL ldsfld System.String Settings::Groub call System.Object Stub.AlgorithmAES::Decrypt(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String Settings::Groub ldsfld System.String Settings::USBNM call System.Object Stub.AlgorithmAES::Decrypt(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String Settings::USBNM leave.s IL_009E: call System.Boolean Stub.Helper::CreateMutex() dup <null> call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(System.Exception) stloc.2 <null> ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() leave.s IL_009E: call System.Boolean Stub.Helper::CreateMutex() call System.Boolean Stub.Helper::CreateMutex() brtrue.s IL_00AB: call System.Void Stub.Helper::PreventSleep() ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) call System.Void Stub.Helper::PreventSleep() ldnull <null> ldftn System.Void Stub.Main::_Lambda$__1() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) stloc.0 <null> ldnull <null> ldftn System.Void Stub.Main::_Lambda$__2() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) stloc.1 <null> ldloc.0 <null> callvirt System.Void System.Threading.Thread::Start() ldloc.1 <null> callvirt System.Void System.Threading.Thread::Start() ldloc.1 <null> callvirt System.Void System.Threading.Thread::Join() ret <null>
Module Name	XWormClient.exe
Full Name	XWormClient.exe
EntryPoint	System.Void Stub.Main::Main()
Scope Name	XWormClient.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	XWormClient
Assembly Version	1.0.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	<null>
Total Strings	157
Main Method	System.Void Stub.Main::Main()
Main IL Instruction Count	58
Main IL	ldsfld System.Int32 Settings::Sleep ldc.i4 1000 mul.ovf <null> call System.Void System.Threading.Thread::Sleep(System.Int32) ldsfld System.String Settings::Hosts call System.Object Stub.AlgorithmAES::Decrypt(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String Settings::Hosts ldsfld System.String Settings::Port call System.Object Stub.AlgorithmAES::Decrypt(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String Settings::Port ldsfld System.String Settings::KEY call System.Object Stub.AlgorithmAES::Decrypt(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String Settings::KEY ldsfld System.String Settings::SPL call System.Object Stub.AlgorithmAES::Decrypt(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String Settings::SPL ldsfld System.String Settings::Groub call System.Object Stub.AlgorithmAES::Decrypt(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String Settings::Groub ldsfld System.String Settings::USBNM call System.Object Stub.AlgorithmAES::Decrypt(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String Settings::USBNM leave.s IL_009E: call System.Boolean Stub.Helper::CreateMutex() dup <null> call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(System.Exception) stloc.2 <null> ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() leave.s IL_009E: call System.Boolean Stub.Helper::CreateMutex() call System.Boolean Stub.Helper::CreateMutex() brtrue.s IL_00AB: call System.Void Stub.Helper::PreventSleep() ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) call System.Void Stub.Helper::PreventSleep() ldnull <null> ldftn System.Void Stub.Main::_Lambda$__1() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) stloc.0 <null> ldnull <null> ldftn System.Void Stub.Main::_Lambda$__2() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) stloc.1 <null> ldloc.0 <null> callvirt System.Void System.Threading.Thread::Start() ldloc.1 <null> callvirt System.Void System.Threading.Thread::Start() ldloc.1 <null> callvirt System.Void System.Threading.Thread::Join() ret <null>

Artefacts

Name0	Value
Mutex	DdCnS0r7XeweSruQ
CnC	dsayankeefootball.duckdns.org
CnC	transamadocollections.duckdns.org
CnC	forsizillenazzlle.duckdns.org
Port	8281

58c96d14b75d1118fdd0a090440ee257 (33.79 KB)