Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    XClient.exe

  • Size

    137KB

  • Sample

    240227-vmd48aef63

  • MD5

    e09d49a6363409dceb37e1a4eb46c337

  • SHA1

    3ea58317e91173b2a0d933f1a62096a469669049

  • SHA256

    54126a6703276127b5748d2a38fa05330405cca356069571ee10350f655890bb

  • SHA512

    a8fc0c70c13ee6ce01411659986daabe2106a4685e404ee63ef02283928cb9b1a94f79da386896a2d9b8218bce60bebd6d53f249697da9422e7393ec6329d2cd

  • SSDEEP

    768:fjydtdHSpeUGDEqb1Fu9XoOfhEDL2NODfzkeoTpGB:y9UGIqpFu9XoOfnsfkHIB

Score
10/10

Malware Config

Extracted

Family

xworm

Version

3.1

C2

hydraww.ddns.net:80

Mutex

vjdvm5kiFTVTTlzT

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      XClient.exe

    • Size

      137KB

    • MD5

      e09d49a6363409dceb37e1a4eb46c337

    • SHA1

      3ea58317e91173b2a0d933f1a62096a469669049

    • SHA256

      54126a6703276127b5748d2a38fa05330405cca356069571ee10350f655890bb

    • SHA512

      a8fc0c70c13ee6ce01411659986daabe2106a4685e404ee63ef02283928cb9b1a94f79da386896a2d9b8218bce60bebd6d53f249697da9422e7393ec6329d2cd

    • SSDEEP

      768:fjydtdHSpeUGDEqb1Fu9XoOfhEDL2NODfzkeoTpGB:y9UGIqpFu9XoOfnsfkHIB

    Score
    10/10
    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks