Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    SteamSetup.exe

  • Size

    7.6MB

  • Sample

    231011-fwfxvade63

  • MD5

    e9e90acb743b53007dc1b7908cadec37

  • SHA1

    c396df39ae540bd589802d17bbc5382740f4d861

  • SHA256

    e6234adc4009f934481d9138b131bf9567514c8384851a5d6e7f0c1fc96cb07b

  • SHA512

    dfc447434af9f7051587a20cc523236ffd2bcbea638173912f3bf898f90007315c446390ef7ac83b3b1dcfdb4b6cca76a8c7ba4c2ef15b1b60f06bfd77492123

  • SSDEEP

    196608:1l7x31wnc72nlUrZADXfphNBbXtVWrLXQr9lba:R31wnc6mAbfpVfWgDa

Malware Config

Targets

    • Target

      SteamSetup.exe

    • Size

      7.6MB

    • MD5

      e9e90acb743b53007dc1b7908cadec37

    • SHA1

      c396df39ae540bd589802d17bbc5382740f4d861

    • SHA256

      e6234adc4009f934481d9138b131bf9567514c8384851a5d6e7f0c1fc96cb07b

    • SHA512

      dfc447434af9f7051587a20cc523236ffd2bcbea638173912f3bf898f90007315c446390ef7ac83b3b1dcfdb4b6cca76a8c7ba4c2ef15b1b60f06bfd77492123

    • SSDEEP

      196608:1l7x31wnc72nlUrZADXfphNBbXtVWrLXQr9lba:R31wnc6mAbfpVfWgDa

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks