General

  • Target

    E4ExecutorBootstrapper.exe

  • Size

    93KB

  • Sample

    240530-jh7eesba4x

  • MD5

    71080630edbe7735497056e07c52766e

  • SHA1

    6a694669f6288dff09fd656c557c2356904c542f

  • SHA256

    1fe1e9601122a9949efd6b7614f72079f0c11fd0f124c514cbd4857c228f30c6

  • SHA512

    a5f409a2705afbdf0e991dc9a1a27c067d8276b1aadd04677798cd2d56f6069ce9e147138a514ea664ad33d4059038277ec6ce0530c88571ef8ec306a85a2442

  • SSDEEP

    1536:46zAA44lhfBv43W5Lfb5GNNcWhKKCyA2FKKRx1+J4P9t2Ub0AbNKcAK1uA4FmzML:46MOl5Jn5LcnA28i104n2Y4cLulFzL

Malware Config

Extracted

Family

xworm

C2

174.117.48.242:1604

127.0.0.1:1604

Attributes
  • Install_directory

    %AppData%

  • install_file

    RegAsm.exe

Targets

    • Target

      E4ExecutorBootstrapper.exe

    • Size

      93KB

    • MD5

      71080630edbe7735497056e07c52766e

    • SHA1

      6a694669f6288dff09fd656c557c2356904c542f

    • SHA256

      1fe1e9601122a9949efd6b7614f72079f0c11fd0f124c514cbd4857c228f30c6

    • SHA512

      a5f409a2705afbdf0e991dc9a1a27c067d8276b1aadd04677798cd2d56f6069ce9e147138a514ea664ad33d4059038277ec6ce0530c88571ef8ec306a85a2442

    • SSDEEP

      1536:46zAA44lhfBv43W5Lfb5GNNcWhKKCyA2FKKRx1+J4P9t2Ub0AbNKcAK1uA4FmzML:46MOl5Jn5LcnA28i104n2Y4cLulFzL

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks