Overview

overview

10

Static

static

1

GotoHTTP.exe

windows7-x64

10

Resubmissions

14/09/2024, 16:21

240914-ttxz8stdpf 6

14/09/2024, 16:21

240914-ttl8qsshjr 6

14/09/2024, 11:16

240914-ndcrga1bkj 7

13/09/2024, 18:55

240913-xkts1atbld 10

13/09/2024, 18:46

240913-xe1dlasgna 10

13/09/2024, 18:30

240913-w5rnpsscpb 10

13/09/2024, 18:13

240913-wtsfvs1gka 10

Sharing

Copy URL Twitter E-mail

General

  • Target

    gotohttp.zip

  • Size

    1.2MB

  • Sample

    240913-wtsfvs1gka

  • MD5

    2121d851176dd98f7e1f11d0f66ddb95

  • SHA1

    a6496cc6f71c5b8a1abe4f0d2809a93862a15f20

  • SHA256

    c2094496f601ba3d32f71b98cfc264bb4565db59f35ba8611f15378879f11b89

  • SHA512

    fefec02ea316711ea5e6fe3c833ef922b018262f6639cc8777eac8c45f838b7822ad438a3116824551a457352bf0447a4847e7496282f0b52468ad63462d3478

  • SSDEEP

    24576:2JuVLoe3YRZ2EHHrrh1V295GmtV6k6hZLSitQF/SWUTLo+myAsUmRO/y6F8rdt/H:B6c+Hrt3ugm+kgLSVmLokUjnMdtoG

Score
10/10
xwormbootkitdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.0

Attributes
  • Install_directory

    %Public%

  • install_file

    wininit.exe

  • pastebin_url

    https://pastebin.com/raw/2fh1pPQQ

Targets

    • Target

      GotoHTTP.exe

    • Size

      2.7MB

    • MD5

      9c2aeb99843094262e5038fd152a7db1

    • SHA1

      7596f6274f2ac19d4d1df5a718a561acfd730d3c

    • SHA256

      b1a74465a8c446d1b86d5984defdc18c9c06ad6107b7eb147f37df9b78cda104

    • SHA512

      6954589cf045cf93cc0ed486fca70f20f02781129297852cc92f25e9b50c446805dca8e724b953b8aa8da123f5e67d159625f1cc9e8a96085b52f44b3c8a4347

    • SSDEEP

      49152:P2oh8doKrZmeR5B1qf5LVohWStiOtg01HTulXG:wZmenaVohWSsOtg0wQ

    Score
    10/10
    xwormbootkitdiscoveryexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Downloads MZ/PE file

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Browser Information Discovery

1
T1217

Query Registry

4
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks