Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    740253f7075ea5e09021a78ff868d9c90931210aa12e2da91b60f1ea7380f759(1)

  • Size

    315KB

  • Sample

    231003-rpexrabe4z

  • MD5

    754a0ca3356a8f76909cd9c5c41234d5

  • SHA1

    c3d9d52316b071f0db5ca9cd6999bfc06141795b

  • SHA256

    740253f7075ea5e09021a78ff868d9c90931210aa12e2da91b60f1ea7380f759

  • SHA512

    d1fdc37b367dd2dba4cb75021299c12c22064b40d48ba6250568727b565e73c7bbe03691bb0b288dc0b588679d6d9408bf7ff7bb60a69b26e41cf69c4c78fbe5

  • SSDEEP

    6144:K3B4ZXBhCirEL5BH46Zk16P9R8G1jqJ6TVKSK:K3BghvrELPH46ZAKjoQES

Malware Config

Extracted

Family

xworm

Version

5.0

C2

brightle.ddns.net:7000

Mutex

jaSa0S2QQOuGarf8

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      740253f7075ea5e09021a78ff868d9c90931210aa12e2da91b60f1ea7380f759(1)

    • Size

      315KB

    • MD5

      754a0ca3356a8f76909cd9c5c41234d5

    • SHA1

      c3d9d52316b071f0db5ca9cd6999bfc06141795b

    • SHA256

      740253f7075ea5e09021a78ff868d9c90931210aa12e2da91b60f1ea7380f759

    • SHA512

      d1fdc37b367dd2dba4cb75021299c12c22064b40d48ba6250568727b565e73c7bbe03691bb0b288dc0b588679d6d9408bf7ff7bb60a69b26e41cf69c4c78fbe5

    • SSDEEP

      6144:K3B4ZXBhCirEL5BH46Zk16P9R8G1jqJ6TVKSK:K3BghvrELPH46ZAKjoQES

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks