xworm | 81495b2fed47dda40e5ca4e871ad989d5906b2d75fd563f2e2134f10264f2d55 | Triage

Submit
Reports

Overview

overview

Static

static

7

Bootstrapp...ed.exe

windows11-21h2-x64

Sharing

General

Target

BootstrapperV3_1_protected.exe
Size

7.3MB
Sample

250304-tlavqsvmz7
MD5

2a8cf24db62f39d25634b4d3d1f7d997
SHA1

3a5161efaec9020bb223b3ce75d80af0016658e1
SHA256

81495b2fed47dda40e5ca4e871ad989d5906b2d75fd563f2e2134f10264f2d55
SHA512

eeeca9595a1bfa6a03859080eff4d11d41de686ff3b6171b674a650112c74534b99400cc68461d1dc99a03c57c1f7566c39e9ea4a79d851a95964c1d1ab691da
SSDEEP

196608:PS4H3QWhpkTBch+3Tq02WBqUx6H783EPq2s1j:PSPyk9mSqPWcUx478n5p

Score

10^/10

xworm defense_evasion discovery execution rat themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

BootstrapperV3_1_protected.exe

Resource

win11-20250218-en

xworm defense_evasion discovery execution rat themida trojan

windows11-21h2-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%LocalAppData%
install_file
$77VoicemodDriver.exe
pastebin_url
https://pastebin.com/raw/tPMsFy8n

Targets

- Target
  
  BootstrapperV3_1_protected.exe
- Size
  
  7.3MB
- MD5
  
  2a8cf24db62f39d25634b4d3d1f7d997
- SHA1
  
  3a5161efaec9020bb223b3ce75d80af0016658e1
- SHA256
  
  81495b2fed47dda40e5ca4e871ad989d5906b2d75fd563f2e2134f10264f2d55
- SHA512
  
  eeeca9595a1bfa6a03859080eff4d11d41de686ff3b6171b674a650112c74534b99400cc68461d1dc99a03c57c1f7566c39e9ea4a79d851a95964c1d1ab691da
- SSDEEP
  
  196608:PS4H3QWhpkTBch+3Tq02WBqUx6H783EPq2s1j:PSPyk9mSqPWcUx478n5p
Score

10^/10

xworm defense_evasion discovery execution rat themida trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasiondiscoveryexecutionratthemidatrojan

© 2018-2025

Terms | Privacy