xworm | cc4f04bb11e1e2ea13d0c1d7d6961dffa798fb480879252f147393ae3496d202 | Triage

Submit
Reports

Overview

overview

Static

static

7

SolaraBoot...er.rar

windows7-x64

3

SolaraBoot...er.rar

windows10-2004-x64

3

SolaraBoot...er.exe

windows7-x64

SolaraBoot...er.exe

windows10-2004-x64

Sharing

General

Target

SolaraBootstrapper.rar
Size

2.5MB
Sample

240629-1tcgvs1anj
MD5

3917140ba46745b8a852fc8c48718a78
SHA1

97000a0f43db8aaccd780feb9f9ec444dbb7ff94
SHA256

cc4f04bb11e1e2ea13d0c1d7d6961dffa798fb480879252f147393ae3496d202
SHA512

5395b5b0cc573dba93b525db6d8630ab8eb21ac786d5850d89417608878c4be2fb1395dca66f5169a7ca26bca4cfbf26c75ed2dfb99e00b97ede211e88b9eb7d
SSDEEP

49152:+DkoW+7VTfW3zxmowokKsca1oLOgi3ZI13FwhvkhO2fEK3QeFwzt5h5Hn3YigNR:+DHWi+VMokKscGOOgeiheGOuFMh93YLn

Score

10^/10

xworm evasion persistence rat themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

SolaraBootstrapper.rar

Resource

win7-20240611-en

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

SolaraBootstrapper.rar

Resource

win10v2004-20240611-en

windows10-2004-x64

3 signatures

150 seconds

Behavioral task

behavioral3

Sample

SolaraBootstrapper.exe

Resource

win7-20240220-en

xworm evasion persistence rat themida trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral4

Sample

SolaraBootstrapper.exe

Resource

win10v2004-20240508-en

xworm evasion persistence rat themida trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

3.1

C2

feature-mouse.gl.at.ply.gg:32683

Mutex

VQh28vrCo2a4H2gG

Attributes

Install_directory
%Temp%
install_file
USB.exe

aes.plain

Targets

- Target
  
  SolaraBootstrapper.rar
- Size
  
  2.5MB
- MD5
  
  3917140ba46745b8a852fc8c48718a78
- SHA1
  
  97000a0f43db8aaccd780feb9f9ec444dbb7ff94
- SHA256
  
  cc4f04bb11e1e2ea13d0c1d7d6961dffa798fb480879252f147393ae3496d202
- SHA512
  
  5395b5b0cc573dba93b525db6d8630ab8eb21ac786d5850d89417608878c4be2fb1395dca66f5169a7ca26bca4cfbf26c75ed2dfb99e00b97ede211e88b9eb7d
- SSDEEP
  
  49152:+DkoW+7VTfW3zxmowokKsca1oLOgi3ZI13FwhvkhO2fEK3QeFwzt5h5Hn3YigNR:+DHWi+VMokKscGOOgeiheGOuFMh93YLn
Score

3^/10
behavioral1 behavioral2
- Target
  
  SolaraBootstrapper.exe
- Size
  
  2.5MB
- MD5
  
  b438aa2ccb3380494ca147d34d3fba56
- SHA1
  
  fdbc721bf15236cc981a95ffda53feba6a7033ca
- SHA256
  
  8f26519cc724675fe6112c07b20ff129543125822d2f320f7648775b8ba4781f
- SHA512
  
  39b3974af9558feb0712b91b40dd2de75a785a6b02fd4c1ab2839ae3c9c352e23a4a84efbb4d48d16b30f8fd6275341fdeca59938f018070721141e8c7db1af8
- SSDEEP
  
  49152:fnZqHAl+vgnacJLGSeZs+OmboDdYQ4GGc5QM47XVF:fZq34nayLGSeTjg2c5Qv
Score

10^/10

xworm evasion persistence rat themida trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

behavioral3

xwormevasionpersistenceratthemidatrojan

behavioral4

xwormevasionpersistenceratthemidatrojan

© 2018-2024

Terms | Privacy