Overview

overview

10

Static

static

10

Bloxstrap-v2.8.1.exe

windows7-x64

10

Bloxstrap-v2.8.1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    322s
  • max time network
    303s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 01:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bloxstrap-v2.8.1.exe

  • Size

    90KB

  • MD5

    14d4016a97613c132cd0f5ef44bb89e5

  • SHA1

    6bf013a301f5f18f4948806392f06552295cc71e

  • SHA256

    05e8795cc1a3970c8f1175f05f013caffca9feecb7e53bff65c478b94c4fc722

  • SHA512

    c0279b287cadc4cf97a454632a9161fd2ca24884e6e9ad8997b92f1781d5a17d137001828c924bc685d1f0ae997a0797189d818ead6d45ea13b20ce58b7329d4

  • SSDEEP

    1536:0svC6eOgCMFU9YAOMH+HVFHwMuz8bkX0L9qrtOg3tzQUB/dP3/PKx5eClbm:00reOgJFU9YAOMenHwKkX0BsQEzQsPKG

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

VbFWnnjtfbUcjrCO

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    FileExplorer.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 36 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.8.1.exe
    "C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.8.1.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4872
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\FileExplorer.exe
    Filesize

    90KB

    MD5

    14d4016a97613c132cd0f5ef44bb89e5

    SHA1

    6bf013a301f5f18f4948806392f06552295cc71e

    SHA256

    05e8795cc1a3970c8f1175f05f013caffca9feecb7e53bff65c478b94c4fc722

    SHA512

    c0279b287cadc4cf97a454632a9161fd2ca24884e6e9ad8997b92f1781d5a17d137001828c924bc685d1f0ae997a0797189d818ead6d45ea13b20ce58b7329d4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FileExplorer.lnk
    Filesize

    989B

    MD5

    005d64c1f747970950a03724e4bd4515

    SHA1

    0faf3419e41718926207d1d8abe5658dbcadbb38

    SHA256

    541e94bdbde5ed7fe6730cee39caeb7bb0cd84f4f304665bd715d8aeb2212ec7

    SHA512

    a2300e6350c83a28fc8e8fd75ea307bb9b3bcfbb795fb7f43877c7bb36d6af6dbd529decf633b144b74b5ac568a9167a42acdf86b9cc20f1f6fff040e34684bb

    Download Submit

  • memory/4872-0-0x00007FFEAEFA3000-0x00007FFEAEFA5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4872-1-0x0000000000C40000-0x0000000000C5C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/4872-6-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4872-7-0x00007FFEAEFA3000-0x00007FFEAEFA5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4872-8-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4892-16-0x0000024E16350000-0x0000024E16351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4892-9-0x0000024E16350000-0x0000024E16351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4892-21-0x0000024E16350000-0x0000024E16351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4892-20-0x0000024E16350000-0x0000024E16351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4892-19-0x0000024E16350000-0x0000024E16351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4892-18-0x0000024E16350000-0x0000024E16351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4892-17-0x0000024E16350000-0x0000024E16351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4892-15-0x0000024E16350000-0x0000024E16351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4892-10-0x0000024E16350000-0x0000024E16351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4892-11-0x0000024E16350000-0x0000024E16351000-memory.dmp

    Filesize

    4KB

    Download