XWorm is not a brand-new malware family[1]. It’s a common RAT (Remote Access Tool) re-use regularly in new campaigns. Yesterday, I found a sample that behaves like a dropper and runs the malware using the Process Hollowing technique[2]. The sample is called “@Norman_is_back_RPE_v1.exe” (SHA256: dc406d626a9aac5bb918abf0799fa91ba6239fc426324fd8c063cc0fcb3b5428). It’s a .Net executable that is, strangely, not obfuscated. It’s possible to disassemble it with ilspycmd:
Article Link: https://isc.sans.edu/diary/rss/31112
1 post - 1 participant
Malware Analysis, News and Indicators - Latest topics
Post a Comment
Post a Comment