xworm | 9376c048648b422f2e84397e969f9d403a4fa6d30c2aabdaba2880e09761f28f | Triage

Submit
Reports

Overview

overview

Static

static

3

BootstrapperNew.exe

windows7-x64

BootstrapperNew.exe

windows10-2004-x64

Sharing

General

Target

BootstrapperNew.exe
Size

2.9MB
Sample

250304-1agbps1rw2
MD5

ec8002f20ee00ec84138608ebb7d5154
SHA1

d77b5dfa71bf3b48e351d69a6b251c21c8650d0d
SHA256

9376c048648b422f2e84397e969f9d403a4fa6d30c2aabdaba2880e09761f28f
SHA512

3ee7644cea6fef18cc17f8a0a46408bdb2897fa2da7808e5bc8563786f3a529b2c57141123e2d29eaba03061273ca28d3b3d3ae5758089ce2d4d6a992d661487
SSDEEP

49152:gUcNWu+5IYryMRbEKRWomDRtL38nmVu4+0R/1nnBsfwGGQCEnNNemNznrYWfym//:gUD15XNRbVRWomDRtrbrNnnsbGQCEnNP

Score

10^/10

xworm defense_evasion discovery rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

BootstrapperNew.exe

Resource

win7-20240903-en

xworm defense_evasion discovery rat trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

BootstrapperNew.exe

Resource

win10v2004-20250217-en

xworm defense_evasion discovery rat trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%port%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/GMv8QPCE

Targets

- Target
  
  BootstrapperNew.exe
- Size
  
  2.9MB
- MD5
  
  ec8002f20ee00ec84138608ebb7d5154
- SHA1
  
  d77b5dfa71bf3b48e351d69a6b251c21c8650d0d
- SHA256
  
  9376c048648b422f2e84397e969f9d403a4fa6d30c2aabdaba2880e09761f28f
- SHA512
  
  3ee7644cea6fef18cc17f8a0a46408bdb2897fa2da7808e5bc8563786f3a529b2c57141123e2d29eaba03061273ca28d3b3d3ae5758089ce2d4d6a992d661487
- SSDEEP
  
  49152:gUcNWu+5IYryMRbEKRWomDRtL38nmVu4+0R/1nnBsfwGGQCEnNNemNznrYWfym//:gUD15XNRbVRWomDRtrbrNnnsbGQCEnNP
Score

10^/10

xworm defense_evasion discovery rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasiondiscoveryrattrojan

behavioral2

xwormdefense_evasiondiscoveryrattrojan

© 2018-2025

Terms | Privacy