Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    33f4da54d0818b1057088933aa143d64.bin

  • Size

    42KB

  • Sample

    231121-bstmbaca5v

  • MD5

    33f4da54d0818b1057088933aa143d64

  • SHA1

    9735288f7295d46685425eb3563fe8400dd9531a

  • SHA256

    774f2a3f0d583501835a717a03f508ada182181d4c4ccb374ce07de72187fd7f

  • SHA512

    0a04c1b3e69060a95848b6e1006bbb84301edd5390ca35c00127dce05f55c2045f4b18a347fa0311ed4c5f2f524dcdc415eeda698d26feac742dd1c6e48d9a37

  • SSDEEP

    768:YTts7oAqUs54ZFLterXT+2n4KXAAZFEPh9/qYOChHvk2BYLfgQ:keHY4jsrTTX9Fw9/qYOC2Q+7

Malware Config

Extracted

Family

xworm

Version

3.1

C2

2.tcp.eu.ngrok.io:19217

Mutex

tPbnBtGFRRkRqaeq

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      33f4da54d0818b1057088933aa143d64.bin

    • Size

      42KB

    • MD5

      33f4da54d0818b1057088933aa143d64

    • SHA1

      9735288f7295d46685425eb3563fe8400dd9531a

    • SHA256

      774f2a3f0d583501835a717a03f508ada182181d4c4ccb374ce07de72187fd7f

    • SHA512

      0a04c1b3e69060a95848b6e1006bbb84301edd5390ca35c00127dce05f55c2045f4b18a347fa0311ed4c5f2f524dcdc415eeda698d26feac742dd1c6e48d9a37

    • SSDEEP

      768:YTts7oAqUs54ZFLterXT+2n4KXAAZFEPh9/qYOChHvk2BYLfgQ:keHY4jsrTTX9Fw9/qYOC2Q+7

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks