xworm | a84273c5deb772a3c6d1e32e2c017136d734f82c160c6554eb0d7fed8203eb0c | Triage

Submit
Reports

Overview

overview

Static

static

3

BootstrapperNew.exe

windows7-x64

BootstrapperNew.exe

windows10-2004-x64

Sharing

General

Target

BootstrapperNew.exe
Size

2.9MB
Sample

250306-vsb7tattat
MD5

afc3d1344bdaf253fbfa774c1bbace0a
SHA1

adf47d0df0c94564c559da98500e7e19165a9cea
SHA256

a84273c5deb772a3c6d1e32e2c017136d734f82c160c6554eb0d7fed8203eb0c
SHA512

623839618cbb3f06b06b920bee1908a005cba8432b1c04170397a7ab959fd038c8221c82d3e972dfaacaf791ddcb9384fc49a95d8f52fa90f4f778ba188d2064
SSDEEP

49152:kVvs4yZZB2bs5dbMZfaFs+mVZgAnu6aTlFCtx3RH4leIu/UGTB0KZR6KTPCdB:kVvs4yZX2bs5dbMirIZgAnKTlFEwAvzy

Score

10^/10

xworm defense_evasion discovery execution persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

BootstrapperNew.exe

Resource

win7-20240903-en

xworm defense_evasion discovery execution rat trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

BootstrapperNew.exe

Resource

win10v2004-20250217-en

xworm defense_evasion discovery execution persistence rat trojan

windows10-2004-x64

32 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe

exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Extracted

Family

xworm

Attributes

Install_directory
%port%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/J42c6s7r

Targets

- Target
  
  BootstrapperNew.exe
- Size
  
  2.9MB
- MD5
  
  afc3d1344bdaf253fbfa774c1bbace0a
- SHA1
  
  adf47d0df0c94564c559da98500e7e19165a9cea
- SHA256
  
  a84273c5deb772a3c6d1e32e2c017136d734f82c160c6554eb0d7fed8203eb0c
- SHA512
  
  623839618cbb3f06b06b920bee1908a005cba8432b1c04170397a7ab959fd038c8221c82d3e972dfaacaf791ddcb9384fc49a95d8f52fa90f4f778ba188d2064
- SSDEEP
  
  49152:kVvs4yZZB2bs5dbMZfaFs+mVZgAnu6aTlFCtx3RH4leIu/UGTB0KZR6KTPCdB:kVvs4yZX2bs5dbMirIZgAnKTlFEwAvzy
Score

10^/10

xworm defense_evasion discovery execution rat trojan persistence
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasiondiscoveryexecutionrattrojan

behavioral2

xwormdefense_evasiondiscoveryexecutionpersistencerattrojan

© 2018-2025

Terms | Privacy