XWorm | Obfuscated-Batch-Script-drops-XWorm

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\kEecfMwgj\Desktop\fcmth.bat

Sample File

Batch

MIME Type	application/x-bat
File Size	77.24 KB
MD5	468184814f843ccabfba6e4797b64dea
SHA1	da23c44c7143e01c6084fd99f680926b553c3ba1
SHA256	96cc09ef13054fe37778f15fa87202e727832895f9712f68a18618fcb5c24ef1
SSDeep	1536:1ueBx7KjbtTZiK77VvRFf0bc7OMYIUuH4Rx+GwnPNm8ywUp5QjSdDmjnFllQZEqV:1uAx7KjbtTZiK77VvRFf0bc7OMYIUuH2
ImpHash	-

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
Batch_Obfuscator	File obfuscated by batch-obfuscator	-	4/5	... Actions Show Ruleset Show Match

C:\Users\kEecfMwgj\AppData\Roaming\ApplicationFrameHost.exe

Downloaded File

Binary

Also Known As	C:\Users\kEecfMwgj\Desktop\MicrosoftAccount.exe (Accessed File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	69.50 KB
MD5	60efdd9e1cf39dd0a3a7fbdeb6a2d391
SHA1	29dbc62cedd344c115047fcec30f83e81c6d794c
SHA256	5ad2e8363c51cc2392e5ea5c34fd426d585c118a1010cd034ccca53cb9aea8b0
SSDeep	1536:fl/VpCz5Iqc+28akCkj42kbOOhW8DS6qfRtFAO5ZPYC:fldN8ak9kbbI8ot2O5ZPx
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744

File Reputation Information

Verdict

Malicious

PE Information

Version Information (7)

Sections (3)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00402000	0x00010B14	0x00010C00	0x00000200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.01
.rsrc	0x00414000	0x000004CE	0x00000600	0x00010E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	3.73
.reloc	0x00416000	0x0000000C	0x00000200	0x00011400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.1

Imports (1)

mscoree.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	-	0x00402000	0x00012AE0	0x00010CE0	0x00000000

Memory Dumps (10)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
microsoftaccount.exe	7	0x010B0000	0x010C7FFF	Relevant Image	64-bit	-	... Actions Go to Process Go to YARA Match Download Dump
microsoftaccount.exe	7	0x010B0000	0x010C7FFF	Final Dump	64-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	7	0x1BB8B000	0x1BB8FFFF	First Network Behavior	64-bit	-	... Actions Go to Process Download Dump
buffer	7	0x1B5BE000	0x1B5BFFFF	First Network Behavior	64-bit	-	... Actions Go to Process Download Dump
buffer	7	0x1B1BA000	0x1B1BFFFF	First Network Behavior	64-bit	-	... Actions Go to Process Download Dump
buffer	7	0x1AC9F000	0x1ACAFFFF	First Network Behavior	64-bit	-	... Actions Go to Process Download Dump
buffer	7	0x1A7BD000	0x1A7BFFFF	First Network Behavior	64-bit	-	... Actions Go to Process Download Dump
buffer	7	0x00254000	0x0025FFFF	First Network Behavior	64-bit	-	... Actions Go to Process Download Dump
microsoftaccount.exe	7	0x010B0000	0x010C7FFF	First Network Behavior	64-bit	-	... Actions Go to Process Go to YARA Match Download Dump
applicationframehost.exe	18	0x00950000	0x00967FFF	Relevant Image	64-bit	-	... Actions Go to Process Go to YARA Match Download Dump

YARA Matches (2)

Rule Name	Rule Description	Classification	Score	Actions
XWorm_Strings	XWorm strings	Spyware	5/5	... Actions Show Ruleset Show Match
XWorm_Decryption_Routine	XWorm decryption routine	Spyware	5/5	... Actions Show Ruleset Show Match

C:\Users\kEecfMwgj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ApplicationFrameHost.lnk

Dropped File

Shortcut

MIME Type	application/x-ms-shortcut
File Size	762 Bytes
MD5	65c860e10c5667ba183d3a042aacae77
SHA1	648292a9dc0650b116e1a1fc4b57626e3d3c6cfb
SHA256	7491cc066c0da542ff22a4deae129359b860ad3218b38d5338da933aa60943fe
SSDeep	12:8c6CKS4cACrDsSEhDkSLtp1gXIqIaT0je1NgHJDCIqIaTfEJ5l:8c6ZNEDQDltfVWgBNWfEzl
ImpHash	-