Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

20/02/2024, 17:31

240220-v341kscc7s 10

20/02/2024, 16:50

240220-vcd2gacc66 10

General

  • Target

    XClient.exe

  • Size

    76KB

  • Sample

    240220-vcd2gacc66

  • MD5

    d3953f8988cf3b75478a3c8d103d1e1e

  • SHA1

    19a8d8f0c06902af448800faf29761a5dba7344c

  • SHA256

    8367b712426af8646d6350d302a0cd406413fa9a2f28d1bde1df0236282a15ef

  • SHA512

    cb4436f73f4c7762c4fcc07947f4144b0e8ec8923ff8609532271cdc231f665c36369dc29f013712c90dabb77b960fec4babfc1cff912394fa1de0e53e8aec11

  • SSDEEP

    1536:0hy4PT1ivp6kJ4pHbkQBh7Q4iMnMg6jOjUKHq:W0Q1bD5iWcOjtq

Malware Config

Extracted

Family

xworm

C2

hydraforce-45677.portmap.io:45677

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      XClient.exe

    • Size

      76KB

    • MD5

      d3953f8988cf3b75478a3c8d103d1e1e

    • SHA1

      19a8d8f0c06902af448800faf29761a5dba7344c

    • SHA256

      8367b712426af8646d6350d302a0cd406413fa9a2f28d1bde1df0236282a15ef

    • SHA512

      cb4436f73f4c7762c4fcc07947f4144b0e8ec8923ff8609532271cdc231f665c36369dc29f013712c90dabb77b960fec4babfc1cff912394fa1de0e53e8aec11

    • SSDEEP

      1536:0hy4PT1ivp6kJ4pHbkQBh7Q4iMnMg6jOjUKHq:W0Q1bD5iWcOjtq

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Modifies Windows Defender Real-time Protection settings

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks