Overview

overview

10

Static

static

3

Bootstrapper.exe

windows7-x64

10

Bootstrapper.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Bootstrapper.exe

  • Size

    1013KB

  • Sample

    241002-q324rsshmb

  • MD5

    210507ba9a960b68093849ca1a606fed

  • SHA1

    ec3966d9c975e408bdea6db0775ad39c8e2d081e

  • SHA256

    8b35e12a2d6b440fb45dbf5adeef1d889abafee43e344fba9024dc530c39a68d

  • SHA512

    9cc92ab8beb846ccd3ac7b21cad039d8f8895d41469db909344729ae518c71cd9b3ed6014bf9d41efa69e877b94c53cca46016472fe1b3c7b025cd7e006aeb49

  • SSDEEP

    24576:tbFvHB0o0BEFrHBSXyCw8bAHjAqTil/NkiH3uZJ:dFJ0DEPrDAquL3s

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

vehicle-wed.gl.at.ply.gg:2355

Mutex

BB4UoRnpJNUmBuip

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      Bootstrapper.exe

    • Size

      1013KB

    • MD5

      210507ba9a960b68093849ca1a606fed

    • SHA1

      ec3966d9c975e408bdea6db0775ad39c8e2d081e

    • SHA256

      8b35e12a2d6b440fb45dbf5adeef1d889abafee43e344fba9024dc530c39a68d

    • SHA512

      9cc92ab8beb846ccd3ac7b21cad039d8f8895d41469db909344729ae518c71cd9b3ed6014bf9d41efa69e877b94c53cca46016472fe1b3c7b025cd7e006aeb49

    • SSDEEP

      24576:tbFvHB0o0BEFrHBSXyCw8bAHjAqTil/NkiH3uZJ:dFJ0DEPrDAquL3s

    Score
    10/10
    xwormrattrojandiscovery

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks