Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    byfron_bypass.exe

  • Size

    18KB

  • Sample

    231208-aph6qsgc68

  • MD5

    5bd350bc71289dbd7c51db52c088870d

  • SHA1

    2f5ea7492c82f84c2e1c7731fe761f9ec6999e2a

  • SHA256

    2220cf943e357754b35ea78fc1b0ec8801130409dc0e5c49854957f140dd2852

  • SHA512

    dab49aac7c7b03b92e4bef6022ff7beb00ed2b30313f4d5b9e5789434058a7c21d3065f0f2a6ddaf3be1e8790241fb0a36ef5e888f6a4cbd7478cde4df83c3c6

  • SSDEEP

    384:GdCbT8Fa1Tu4nX19ZDkOJtLgwrbj8qL2wNoFmqOk7o9:9dFXDkO3gwr9LS7o9

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1182449804958248970/DRF0ya2e3evg84K0Bvj6KDwl3i7xtSWZ3g0gIs0o-TUVRK-JP1st19-yHi5V8uo23sfe

Extracted

Family

xworm

C2

owner-cc.gl.at.ply.gg:32281

Attributes
  • Install_directory

    %AppData%

  • install_file

    WindowsSoundSystem.exe

Targets

    • Target

      byfron_bypass.exe

    • Size

      18KB

    • MD5

      5bd350bc71289dbd7c51db52c088870d

    • SHA1

      2f5ea7492c82f84c2e1c7731fe761f9ec6999e2a

    • SHA256

      2220cf943e357754b35ea78fc1b0ec8801130409dc0e5c49854957f140dd2852

    • SHA512

      dab49aac7c7b03b92e4bef6022ff7beb00ed2b30313f4d5b9e5789434058a7c21d3065f0f2a6ddaf3be1e8790241fb0a36ef5e888f6a4cbd7478cde4df83c3c6

    • SSDEEP

      384:GdCbT8Fa1Tu4nX19ZDkOJtLgwrbj8qL2wNoFmqOk7o9:9dFXDkO3gwr9LS7o9

    • Detect Umbral payload

    • Detect Xworm Payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Drops startup file

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks