xworm | a02eef7ae229cfab507ec2a39994995ea8d905b6ded899b86aa2b64f50046b79 | Triage

Submit
Reports

Overview

overview

Static

static

3

AstroBootS...pd.exe

windows10-2004-x64

Sharing

General

Target

AstroBootStrapper_upd.exe
Size

35.3MB
Sample

240727-bzfzssycmj
MD5

6366596bda3516a281a91c2c10217f5f
SHA1

2029a7837a7aecc36e453ac7accaaf60be851a0e
SHA256

a02eef7ae229cfab507ec2a39994995ea8d905b6ded899b86aa2b64f50046b79
SHA512

e98f7e718fd97e1affa6cd591bb272bad0fea77d08a014d4075cfa0e82c0b270dea242e47541e37864518fa0dc356c16eb95b39c72a7c49513028db822e8cb8f
SSDEEP

786432:NUufa9gYBzTKPkwETf5bPBnB7294tGiNFeGl9jPlyTiS2j+S0mLzSqvZD:bfayKUuTfFPK94GiuGrjPloijT0O2qvp

Score

10^/10

xworm discovery pyinstaller ransomware rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

AstroBootStrapper_upd.exe

Resource

win10v2004-20240709-en

xworm discovery pyinstaller ransomware rat trojan

windows10-2004-x64

27 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

147.185.221.21:37029

Mutex

ImJIbbArI7SKOVwD

Attributes

Install_directory
%AppData%
install_file
ctfmon.exe

aes.plain

Targets

- Target
  
  AstroBootStrapper_upd.exe
- Size
  
  35.3MB
- MD5
  
  6366596bda3516a281a91c2c10217f5f
- SHA1
  
  2029a7837a7aecc36e453ac7accaaf60be851a0e
- SHA256
  
  a02eef7ae229cfab507ec2a39994995ea8d905b6ded899b86aa2b64f50046b79
- SHA512
  
  e98f7e718fd97e1affa6cd591bb272bad0fea77d08a014d4075cfa0e82c0b270dea242e47541e37864518fa0dc356c16eb95b39c72a7c49513028db822e8cb8f
- SSDEEP
  
  786432:NUufa9gYBzTKPkwETf5bPBnB7294tGiNFeGl9jPlyTiS2j+S0mLzSqvZD:bfayKUuTfFPK94GiuGrjPloijT0O2qvp
Score

10^/10

xworm discovery pyinstaller ransomware rat trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Browser Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xwormdiscoverypyinstallerransomwarerattrojan

© 2018-2024

Terms | Privacy