Overview

overview

10

Static

static

3

BootstrapperNew.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    BootstrapperNew.exe

  • Size

    2.9MB

  • Sample

    250304-1dbwds1wgz

  • MD5

    95dc6da23a19b85742e9e88f6be99c34

  • SHA1

    6472d33772b0827bbefa20702dc2845d91f77535

  • SHA256

    07b6f8733155a98e4fd39d415104acc67677a6ab3ffaab73802ae5ab5bc56d5e

  • SHA512

    a0671247f44a9fc2083456811032c7fbd3c4315deec8004ff1191911f2acf0ec97287f16d5f540c15382d84f2edc461731961071f238a2776b6c20fe076acfec

  • SSDEEP

    49152:U8aLLZKgJlVSsCd0sRw/848jY0f4vYAPGiXKGEwILblKvf+nsXGfIjJqlRJZN+gi:UnLLIgbglw/8E0QvY4E/LbIf+nw41lRN

Score
10/10
xwormdefense_evasiondiscoveryexecutionrattrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe
exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Extracted

Family

xworm

Attributes
  • Install_directory

    %port%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/GMv8QPCE

Targets

    • Target

      BootstrapperNew.exe

    • Size

      2.9MB

    • MD5

      95dc6da23a19b85742e9e88f6be99c34

    • SHA1

      6472d33772b0827bbefa20702dc2845d91f77535

    • SHA256

      07b6f8733155a98e4fd39d415104acc67677a6ab3ffaab73802ae5ab5bc56d5e

    • SHA512

      a0671247f44a9fc2083456811032c7fbd3c4315deec8004ff1191911f2acf0ec97287f16d5f540c15382d84f2edc461731961071f238a2776b6c20fe076acfec

    • SSDEEP

      49152:U8aLLZKgJlVSsCd0sRw/848jY0f4vYAPGiXKGEwILblKvf+nsXGfIjJqlRJZN+gi:UnLLIgbglw/8E0QvY4E/LbIf+nw41lRN

    Score
    10/10
    xwormdefense_evasiondiscoveryexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks