xworm | 1b0595d3b145f0711f4955ef0cf400fc109240dd2a4507d3c70d43e3c7f5ddf6 | Triage

Submit
Reports

Overview

overview

Static

static

3

Boostrappersolara.exe

windows10-ltsc 2021-x64

Boostrappersolara.exe

windows11-21h2-x64

Sharing

General

Target

Boostrappersolara.exe
Size

1021KB
Sample

241111-pe75fasncm
MD5

5984f8e86947c614e45f83842e13bb58
SHA1

d5610665892d2cf56218f7f4a3be3839dc95e2db
SHA256

1b0595d3b145f0711f4955ef0cf400fc109240dd2a4507d3c70d43e3c7f5ddf6
SHA512

1bb39fb338d6939952ac6cb5381dfae1b13c1873866095ac372e7290e71e0473f504ff243bb0a5b1afc0f6e106d88505dda3f3496e8975a6cd99552e9fadc335
SSDEEP

24576:jU8hkIIZKdutFwgPdksxfeF5r8oXSqCqrJnHEp+4VjqHgh:jUGHIwgpnFeIo5PrVE9

Score

10^/10

xworm discovery execution persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Boostrappersolara.exe

Resource

win10ltsc2021-20241023-en

xworm discovery execution persistence rat trojan

windows10-ltsc 2021-x64

25 signatures

150 seconds

Behavioral task

behavioral2

Sample

Boostrappersolara.exe

Resource

win11-20241007-en

xworm discovery execution persistence rat trojan

windows11-21h2-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

plant-surfaces.gl.at.ply.gg:7445

Mutex

oXkaMvOL23mmqd7M

Attributes

Install_directory
%Temp%
install_file
svchost.exe

aes.plain

Targets

- Target
  
  Boostrappersolara.exe
- Size
  
  1021KB
- MD5
  
  5984f8e86947c614e45f83842e13bb58
- SHA1
  
  d5610665892d2cf56218f7f4a3be3839dc95e2db
- SHA256
  
  1b0595d3b145f0711f4955ef0cf400fc109240dd2a4507d3c70d43e3c7f5ddf6
- SHA512
  
  1bb39fb338d6939952ac6cb5381dfae1b13c1873866095ac372e7290e71e0473f504ff243bb0a5b1afc0f6e106d88505dda3f3496e8975a6cd99552e9fadc335
- SSDEEP
  
  24576:jU8hkIIZKdutFwgPdksxfeF5r8oXSqCqrJnHEp+4VjqHgh:jUGHIwgpnFeIo5PrVE9
Score

10^/10

xworm discovery execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdiscoveryexecutionpersistencerattrojan

behavioral2

xwormdiscoveryexecutionpersistencerattrojan

© 2018-2024

Terms | Privacy