File name:	bootstrapper.exe
Full analysis:	https://app.any.run/tasks/19acca8a-7370-48ab-8c91-455317917a71
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	August 19, 2024, 20:05:27
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	pastebin evasion stealer xworm remote loader qrcode
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:	5F7CCCEBD1E6D445CC87A08A85012DDD
SHA1:	70779F96E6BF2D89D0FB3734D8D868CF78941229
SHA256:	A0A4F7B86592CB84BCD7FC67C85EAABFEDE05D9AD95910C94CE8C7D528F1605D
SSDEEP:	12288:oaOOQCnm+C0gy8XaHmnvdDWDkQ7txwxTz+Xc/FxYALvau6jIwELhj1TWq7yOLsjo:oaOOlnm+C0e+wvdDekctxSt+KypZwjx9

.exe	\|	Win64 Executable (generic) (61.6)
.dll	\|	Win32 Dynamic Link Library (generic) (14.6)
.exe	\|	Win32 Executable (generic) (10)
.exe	\|	Win16/32 Executable Delphi generic (4.6)
.exe	\|	Generic Win/DOS Executable (4.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	6
CodeSize:	1536
InitializedDataSize:	654336
UninitializedDataSize:	-
EntryPoint:	0x143d
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(6680) bootstrapper.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6680) bootstrapper.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6680) bootstrapper.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6680) bootstrapper.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6864) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6864) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6864) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6864) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6200) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6200) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

PID	Process	Filename		Type
6680	bootstrapper.exe	C:\Users\admin\AppData\Local\Temp\bootstrapper.bat		text
		MD5:02BD7CE04003F184CF3965237D755B4A	SHA256:1C38767D90D9A621D73BA0AFB3E8CE868EEA557754EEF139576E20D25A3F2B55
6864	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ur3y3pr1.av4.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6652	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hbwod0te.44f.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6864	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kgwp0z3c.3ti.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6452	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_joukbpkn.nwu.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6452	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fxvs2s1m.vks.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6652	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vbrszigy.zgj.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6652	powershell.exe	C:\Users\admin\Desktop\bootstrapper.exe		executable
		MD5:76639AB92661F5C384302899934051AB	SHA256:6BB9AD960BCC9010DB1B9918369BDFC4558F19287B5B6562079C610A28320178
208	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_foyltw2r.3hx.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6200	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_x4jqyouc.zsl.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6652	powershell.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	—	—	shared
5304	msiexec.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D	unknown	—	—	whitelisted
—	—	GET	200	128.116.123.3:443	https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live	unknown	binary	119 b	unknown
—	—	GET	200	104.21.93.27:443	https://getsolara.dev/asset/discord.json	unknown	binary	103 b	unknown
5304	msiexec.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAOO2y%2FG5AVzGnYPFRYUTIU%3D	unknown	—	—	whitelisted
—	—	GET	307	104.20.22.46:443	https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi	unknown	text	15 b	unknown
—	—	GET	200	104.20.22.46:443	https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi	unknown	executable	30.0 Mb	unknown
—	—	GET	200	104.20.3.235:443	https://pastebin.com/raw/xr5Gb4Bn	unknown	binary	497 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
1292	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
1616	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4324	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1292	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2324	bootstrapper.exe	172.67.203.125:443	getsolara.dev	CLOUDFLARENET	US	unknown
6652	powershell.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	unknown
2324	bootstrapper.exe	172.67.19.24:443	pastebin.com	CLOUDFLARENET	US	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 20.73.194.208	whitelisted
google.com	216.58.206.78	whitelisted
getsolara.dev	172.67.203.125 104.21.93.27	unknown
ip-api.com	208.95.112.1	shared
pastebin.com	172.67.19.24 104.20.4.235 104.20.3.235	shared
clientsettings.roblox.com	128.116.123.3	whitelisted
www.nodejs.org	104.20.23.46 104.20.22.46	whitelisted
nodejs.org	104.20.23.46 104.20.22.46	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted

PID	Process	Class	Message
2256	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2256	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2256	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Online Pastebin Text Storage
6652	powershell.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
6652	powershell.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
6652	powershell.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm TCP Packet

General Info

bootstrapper.exe

5F7CCCEBD1E6D445CC87A08A85012DDD

70779F96E6BF2D89D0FB3734D8D868CF78941229

A0A4F7B86592CB84BCD7FC67C85EAABFEDE05D9AD95910C94CE8C7D528F1605D

12288:oaOOQCnm+C0gy8XaHmnvdDWDkQ7txwxTz+Xc/FxYALvau6jIwELhj1TWq7yOLsjo:oaOOlnm+C0e+wvdDekctxSt+KypZwjx9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Bypass)

Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

Bypass execution policy to execute commands

Run PowerShell with an invisible window

Uses AES cipher (POWERSHELL)

Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

Actions looks like stealing of personal data

Adds path to the Windows Defender exclusion list

Adds process to the Windows Defender exclusion list

Create files in the Startup directory

Uses Task Scheduler to run other applications

XWORM has been detected (SURICATA)

XWORM has been detected (YARA)

SUSPICIOUS

Drops the executable file immediately after the start

Reads security settings of Internet Explorer

Cryptography encrypted command line is found

Reads the date of Windows installation

Executing commands from a ".bat" file

Probably obfuscated PowerShell command line is found

Starts CMD.EXE for commands execution

The process bypasses the loading of PowerShell profile settings

Starts POWERSHELL.EXE for commands execution

The process executes VB scripts

Application launched itself

Runs shell command (SCRIPT)

Executable content was dropped or overwritten

Script adds exclusion path to Windows Defender

Checks for external IP

Script adds exclusion process to Windows Defender

Process drops legitimate windows executable

Connects to unusual port

Checks Windows Trust Settings

Contacting a server suspected of hosting an CnC

Adds/modifies Windows certificates

Reads the Windows owner or organization settings

INFO

Checks supported languages

Create files in a temporary directory

Process checks computer location settings

Uses string split method (POWERSHELL)

Reads the computer name

Gets data length (POWERSHELL)

Script raised an exception (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

Reads Environment values

Disables trace logs

Reads the software policy settings

Reads the machine GUID from the registry

Checks proxy server information

Creates files or folders in the user directory

Executable content was dropped or overwritten

Application launched itself

Malware configuration

XWorm

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules