Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    XClient.exe

  • Size

    53KB

  • Sample

    231022-m8bbfshe97

  • MD5

    eaaac4a17b21194048d0f564418354eb

  • SHA1

    cf80a897ef1c3ce5ee96c4a76361fa393b0377e3

  • SHA256

    d5070e263784d46bf63ef95bb678f6fc52677e8f80aabdd731fc4962d3d11853

  • SHA512

    ae87e9fda5144e362162700f46dbacd26ffda4743d006c20dd6c0b662ef1a9cba055d9e7c743d8d7faae5e38b4a7ca9913ca4cccc69bb09ef7e51e115ecd7ff4

  • SSDEEP

    1536:F4DwCp5o8ExxcGF69Wu6ZOCV2qV64fUX8u:F4DwKaTxmGF69WZOCTVhcX8u

Malware Config

Extracted

Family

xworm

Version

5.0

C2

goheg99417-59409.portmap.host:59409

Mutex

cHm9d6xtfIRWUS7Z

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    XClient.exe

aes.plain

Targets

    • Target

      XClient.exe

    • Size

      53KB

    • MD5

      eaaac4a17b21194048d0f564418354eb

    • SHA1

      cf80a897ef1c3ce5ee96c4a76361fa393b0377e3

    • SHA256

      d5070e263784d46bf63ef95bb678f6fc52677e8f80aabdd731fc4962d3d11853

    • SHA512

      ae87e9fda5144e362162700f46dbacd26ffda4743d006c20dd6c0b662ef1a9cba055d9e7c743d8d7faae5e38b4a7ca9913ca4cccc69bb09ef7e51e115ecd7ff4

    • SSDEEP

      1536:F4DwCp5o8ExxcGF69Wu6ZOCV2qV64fUX8u:F4DwKaTxmGF69WZOCTVhcX8u

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks