Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434_JC.exe

  • Size

    606KB

  • Sample

    231011-ne2f8adb83

  • MD5

    c7b28f5f9fb6780fc0976a8383696818

  • SHA1

    af6654f093fe2af97b024dfe8067e0aa8dc93816

  • SHA256

    781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434

  • SHA512

    955e32a0171de8c527906559af067a4b5c25fc6a91ffcb9b1c57f934c82b7ab31885c6b82cf1610c8497b8350523a2316c12fcb8e6a68eb984a6684d4a15a841

  • SSDEEP

    12288:NcrNS33L10QdrXjNfmDnDnCXgUcYfOfAFczhTjHsHLzuhV2Rj+TF:wNA3R5drXwDDuhcY7c9TSuhE4F

Score
10/10

Malware Config

Extracted

Family

xworm

Version

3.1

C2

floptuytonroyem.sytes.net:7004

Mutex

cEHiEYwUFLZIOeZI

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434_JC.exe

    • Size

      606KB

    • MD5

      c7b28f5f9fb6780fc0976a8383696818

    • SHA1

      af6654f093fe2af97b024dfe8067e0aa8dc93816

    • SHA256

      781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434

    • SHA512

      955e32a0171de8c527906559af067a4b5c25fc6a91ffcb9b1c57f934c82b7ab31885c6b82cf1610c8497b8350523a2316c12fcb8e6a68eb984a6684d4a15a841

    • SSDEEP

      12288:NcrNS33L10QdrXjNfmDnDnCXgUcYfOfAFczhTjHsHLzuhV2Rj+TF:wNA3R5drXwDDuhcY7c9TSuhE4F

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks