Extracted

Extracted

• • Target

    BootStrapper.exe

  • Size

    67.4MB

  • MD5

    95c62117026468422cd0b06c6cfaac11

  • SHA1

    4693236ebe6f248b05227d9244dd0a230adf6bd7

  • SHA256

    1a09874f3ad3e32eebaebe0a3aff400a9f04d227c4112e54a9b07daff3450df4

  • SHA512

    d2cb06f9cfaa1d8904be9fb550002f6808f34b399112c3ac11930bd7c0f555de9833a59192858c2b2c155f6097b7fd70ba9f84aa12d30a48c3556e45bd35c3f2

  • SSDEEP

    393216:e4TPZVLWruiFVks+9j54GXvitZQLCO5SXDqQu58EISEhoIaE2FShABZDv25PPa2r:eKRVQxhu0P8Lq1LEvxOOx5St

  Score

  10^/10

  asyncratxwormdefaultdiscoveryrattrojanbootkitdefense_evasionpersistence

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Detect Xworm Payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Async RAT payload

    rat

  • Sets service image path in registry

    persistence

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Indicator Removal: Clear Windows Event Logs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  behavioral1behavioral2behavioral3