Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    obfuscated.exe

  • Size

    38.3MB

  • Sample

    240308-hfbpashf78

  • MD5

    69a03bb48ee81a00bd8347bc420a0342

  • SHA1

    b16cb191f4a5f5b151d8fe9591e81657e1d0366c

  • SHA256

    a19ca27eb45dc2e8851f7c93097f92ac78f7971d43b4685d16c706e3c2524434

  • SHA512

    63c3e80a6848fedf368e0be17119a21cba2074b2e4f1c50d48fcc200537e0c07f2da809cf463001a99da2fc56206414d0ceef6bebf5e5c1d9e22c4b8968275c7

  • SSDEEP

    393216:d76L6otUitqtH7wHtXq2pt2jbOCacCFIK0fpP9HF4VW8yfcnVQx4urYsANulL7Na:d0LoCOn+2cs4urYDNulLBiue

Malware Config

Extracted

Family

xworm

Version

5.0

C2

91.92.245.248:7000

Mutex

8ZKAq60sTZYIePSv

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    proquota.exe

aes.plain

Targets

    • Target

      obfuscated.exe

    • Size

      38.3MB

    • MD5

      69a03bb48ee81a00bd8347bc420a0342

    • SHA1

      b16cb191f4a5f5b151d8fe9591e81657e1d0366c

    • SHA256

      a19ca27eb45dc2e8851f7c93097f92ac78f7971d43b4685d16c706e3c2524434

    • SHA512

      63c3e80a6848fedf368e0be17119a21cba2074b2e4f1c50d48fcc200537e0c07f2da809cf463001a99da2fc56206414d0ceef6bebf5e5c1d9e22c4b8968275c7

    • SSDEEP

      393216:d76L6otUitqtH7wHtXq2pt2jbOCacCFIK0fpP9HF4VW8yfcnVQx4urYsANulL7Na:d0LoCOn+2cs4urYDNulLBiue

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks