Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

d0ec40d1ae..._JC.js

windows7-x64

8

d0ec40d1ae..._JC.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d0ec40d1ae32bddb9159e4daa86d2b15535fe6cd456f8251d78fe64667d8abb1_JC.js

  • Size

    7KB

  • Sample

    231010-wwhz7sfe4v

  • MD5

    4e0ea5c5808c3d0cf7006eb0ef347c4b

  • SHA1

    80f8f2d5b7caf2f13b1edd764e56f46930754edc

  • SHA256

    d0ec40d1ae32bddb9159e4daa86d2b15535fe6cd456f8251d78fe64667d8abb1

  • SHA512

    40745410c37e8cf392c59ca9c8d04779c96624eefe7b8f90f3876f8c54c60518a622db9553b0420f77b34582a586ec68b664089f909e37043a11c0d9734a44d4

  • SSDEEP

    48:iVnz7HAx3ZSGwW6PnWe28gR7osdSrwyNNgnw5:itfHAx3ZzwWKWTnR7o8SrwqNgnw5

Score
10/10
wshratxwormpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

lee44.kozow.com:4548

Mutex

Nkk86vl4S3wOFCBy

Attributes
  • install_file

    USB.exe

aes.plain
1
lLlfHwi3lJNTOdBCxGJi2A==

Extracted

Family

wshrat

C2

http://chongmei33.publicvm.com:7045

Targets

    • Target

      d0ec40d1ae32bddb9159e4daa86d2b15535fe6cd456f8251d78fe64667d8abb1_JC.js

    • Size

      7KB

    • MD5

      4e0ea5c5808c3d0cf7006eb0ef347c4b

    • SHA1

      80f8f2d5b7caf2f13b1edd764e56f46930754edc

    • SHA256

      d0ec40d1ae32bddb9159e4daa86d2b15535fe6cd456f8251d78fe64667d8abb1

    • SHA512

      40745410c37e8cf392c59ca9c8d04779c96624eefe7b8f90f3876f8c54c60518a622db9553b0420f77b34582a586ec68b664089f909e37043a11c0d9734a44d4

    • SSDEEP

      48:iVnz7HAx3ZSGwW6PnWe28gR7osdSrwyNNgnw5:itfHAx3ZzwWKWTnR7o8SrwqNgnw5

    Score
    10/10
    wshratxwormpersistenceratspywarestealertrojan

    • Detect Xworm Payload

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.