xworm | cb77cc2932fd091798e577cb18708b0ed58bd6c126059fbdb3d6a4024c6a29cc | Triage

Submit
Reports

Overview

overview

Static

static

3

BootstrapperNew.exe

windows7-x64

BootstrapperNew.exe

windows10-2004-x64

Sharing

General

Target

BootstrapperNew.exe
Size

2.9MB
Sample

250305-qpt61azmx7
MD5

289c60ad685f6489a427d784e15644ee
SHA1

df342b58f869ba112b25d7200f7d13926157a907
SHA256

cb77cc2932fd091798e577cb18708b0ed58bd6c126059fbdb3d6a4024c6a29cc
SHA512

b7c81d005620cfb0dc05392d40dbd0b3c1cae6c43cac27e5c09491a8be5f6b5eff1c6073e91bd61dac0499240b458b844630a008abc3fc1ab213f36fcc7952f5
SSDEEP

49152:2OTZvMkdOTzwUTZ8TfTuXJj8OtV+RvY/p7msa2aDsKuBGXzOlo3diaf/M9trcVzE:ROkdOTz9Zb+ODEvYR7msaPBu5Adib7r/

Score

10^/10

xworm defense_evasion discovery execution persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

BootstrapperNew.exe

Resource

win7-20240903-en

xworm defense_evasion discovery execution persistence rat trojan

windows7-x64

16 signatures

300 seconds

Behavioral task

behavioral2

Sample

BootstrapperNew.exe

Resource

win10v2004-20250217-en

xworm defense_evasion discovery execution rat trojan

windows10-2004-x64

18 signatures

300 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe

exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Extracted

Family

xworm

Attributes

Install_directory
%port%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/J42c6s7r

Targets

- Target
  
  BootstrapperNew.exe
- Size
  
  2.9MB
- MD5
  
  289c60ad685f6489a427d784e15644ee
- SHA1
  
  df342b58f869ba112b25d7200f7d13926157a907
- SHA256
  
  cb77cc2932fd091798e577cb18708b0ed58bd6c126059fbdb3d6a4024c6a29cc
- SHA512
  
  b7c81d005620cfb0dc05392d40dbd0b3c1cae6c43cac27e5c09491a8be5f6b5eff1c6073e91bd61dac0499240b458b844630a008abc3fc1ab213f36fcc7952f5
- SSDEEP
  
  49152:2OTZvMkdOTzwUTZ8TfTuXJj8OtV+RvY/p7msa2aDsKuBGXzOlo3diaf/M9trcVzE:ROkdOTz9Zb+ODEvYR7msaPBu5Adib7r/
Score

10^/10

xworm defense_evasion discovery execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasiondiscoveryexecutionpersistencerattrojan

behavioral2

xwormdefense_evasiondiscoveryexecutionrattrojan

© 2018-2025

Terms | Privacy