Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

14/03/2024, 10:26

240314-mgrjcsbh52 10

14/03/2024, 10:25

240314-mfxc8ahe7z 10

General

  • Target

    Rino.s.Discord.Account.ToolKit.rar

  • Size

    16.1MB

  • Sample

    240314-mfxc8ahe7z

  • MD5

    9258c0946544389aaa4c6626be1f32b2

  • SHA1

    8cc5e825f68430a38869f1687d9289604af67681

  • SHA256

    4b14895a45058c34fb029d0b867412bba2ba76aceb444f28b3b312b98a5a73df

  • SHA512

    f00e82e6f3c4b07e6ab0a71c86e61fe75fbd544a97618848d006814e769fa967456dbc7d930ddd559ee3ffc1c4dc8c66ee6c698ad519826aeab7fd77e20509d0

  • SSDEEP

    393216:/FyyIpYYMaBD6MhZj8nYRSAAJVU5ma1ZYxCclf:dyy5YF6ML8YUCma1C8clf

Malware Config

Extracted

Family

xworm

Version

3.1

Attributes
  • install_file

    game.exe

Targets

    • Target

      Rino's Discord Account ToolKit/Rino's Discord Account ToolKit.exe.config

    • Size

      798B

    • MD5

      507dc469ba6375912a430e71a6cf170d

    • SHA1

      dbed5ada57b013e955b5a1224f001688a5382a84

    • SHA256

      9ddb28bd07df5784cd6b11f632f7d862f31593af848e1feb7700020ff96984d8

    • SHA512

      f43dc12cd0f9228b8ac326d4b2eb61beb48c5df5cc4f714b8ba2e8e6dfa17e49da291b0653b37989588c82b743bd77d71ceafe21e46370a6bc1170cfdd5c3b5e

    Score
    1/10
    • Target

      Rino's Discord Account ToolKit/Rino's Discord Account ToolKit.pdb

    • Size

      37KB

    • MD5

      1b7793d953d507e4485773a501a287b7

    • SHA1

      01e3d15e1ec4a1ea575c2749c5df1adf4d79e7cb

    • SHA256

      afab8369e4387abd8620802be1481df2e5957834aee7d1604b120b2bc63029b1

    • SHA512

      4eba9e46a1e74cf3104fd170a59e0c234c194ce8e9e0f5f56d98afe7a51080433504713ee791090b5f5624f745ab8c145397d5c1e77023c3201c8130f1a785a8

    • SSDEEP

      768:bJlvT/BCXTX2fC4Kr0gC9KKnTSISGf45VjzxlrWcSZY:bJlvT/BCjqSYSy2xlrWcSZY

    Score
    3/10
    • Target

      Rino's Discord Account ToolKit/Rino's Discord Acount toolkit.exe

    • Size

      12.2MB

    • MD5

      cdc81da043cabb61816f918cc3ffc632

    • SHA1

      c7c4371dacb34c40e5b918bf899f408b18fbe6ae

    • SHA256

      3c8640d80b6fd56b31cd595276975c689e18b9184c27bfc92be319c014f2e05d

    • SHA512

      187b4b4fdb40ac4a26a9a569557189a667187302b9a6eb2e7181d4c00d2051d94bd7958263f62792b7c01c828726760667e1fc7cd718fff40896821f80af8092

    • SSDEEP

      196608:lrMQ8CGnMjYBptuSBeOdOVgVRO+AzLjv+bhqNVoBLD7fEXEoYbiIv9VSEXvvk9fs:1GaGtuSPzRgnL+9qz8LD7fEUbiI6NQca

    Score
    10/10
    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      �l˷��&.pyc

    • Size

      1KB

    • MD5

      0d80ae7e50e353758e3ba35dd926c063

    • SHA1

      502825da01fed477334e3513f771c1402d058cde

    • SHA256

      b59f89753329b0c4fbc9ceb8d6a752b7df6e133f402c30fc3beffd5e552794f2

    • SHA512

      cef3f38ffbdde8d6c661db43c9a8012d23d147bc35f9f4f1e0f13befb68358deeea5b68461576b55fb7228d06aba6fa6c4a6b863bfdabc4c7f0bf32ce592623a

    Score
    1/10
    • Target

      Rino's Discord Account ToolKit/Rinos_Discord_Account_ToolKit.exe

    • Size

      4.3MB

    • MD5

      a7553cc8ad2b91025f5bfb532090d2b6

    • SHA1

      5326aeb29d57118faaad3af9946584b87ad7f0d0

    • SHA256

      6aeee8b13c11c4157a2a92a38270c30af85fb060e5ccf3ef54994d2c3a1cf5b4

    • SHA512

      1a62dec71262fcf6561cf6ea615f9cb0a4d9d495e8759ab62b5980f6ad4211effce2e3f0726e69afb55441999e264ea25512db0e6d584d4c7e3c949429c9b81c

    • SSDEEP

      98304:XIPanxb7sGW9NcEJn5kKxGOd82SqTxaA/XjOqC1kIq9o8ha:Ys7sGqNcLGGOJSeV7L9o

    Score
    10/10
    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks