Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

14/03/2024, 10:26

240314-mgrjcsbh52 10

14/03/2024, 10:25

240314-mfxc8ahe7z 10

General

  • Target

    Rino.s.Discord.Account.ToolKit.rar

  • Size

    16.1MB

  • Sample

    240314-mgrjcsbh52

  • MD5

    9258c0946544389aaa4c6626be1f32b2

  • SHA1

    8cc5e825f68430a38869f1687d9289604af67681

  • SHA256

    4b14895a45058c34fb029d0b867412bba2ba76aceb444f28b3b312b98a5a73df

  • SHA512

    f00e82e6f3c4b07e6ab0a71c86e61fe75fbd544a97618848d006814e769fa967456dbc7d930ddd559ee3ffc1c4dc8c66ee6c698ad519826aeab7fd77e20509d0

  • SSDEEP

    393216:/FyyIpYYMaBD6MhZj8nYRSAAJVU5ma1ZYxCclf:dyy5YF6ML8YUCma1C8clf

Malware Config

Extracted

Family

xworm

Version

3.1

Attributes
  • install_file

    game.exe

Targets

    • Target

      Rino's Discord Account ToolKit/Rino's Discord Acount toolkit.exe

    • Size

      12.2MB

    • MD5

      cdc81da043cabb61816f918cc3ffc632

    • SHA1

      c7c4371dacb34c40e5b918bf899f408b18fbe6ae

    • SHA256

      3c8640d80b6fd56b31cd595276975c689e18b9184c27bfc92be319c014f2e05d

    • SHA512

      187b4b4fdb40ac4a26a9a569557189a667187302b9a6eb2e7181d4c00d2051d94bd7958263f62792b7c01c828726760667e1fc7cd718fff40896821f80af8092

    • SSDEEP

      196608:lrMQ8CGnMjYBptuSBeOdOVgVRO+AzLjv+bhqNVoBLD7fEXEoYbiIv9VSEXvvk9fs:1GaGtuSPzRgnL+9qz8LD7fEUbiI6NQca

    Score
    10/10
    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Rino's Discord Account ToolKit/Rinos_Discord_Account_ToolKit.exe

    • Size

      4.3MB

    • MD5

      a7553cc8ad2b91025f5bfb532090d2b6

    • SHA1

      5326aeb29d57118faaad3af9946584b87ad7f0d0

    • SHA256

      6aeee8b13c11c4157a2a92a38270c30af85fb060e5ccf3ef54994d2c3a1cf5b4

    • SHA512

      1a62dec71262fcf6561cf6ea615f9cb0a4d9d495e8759ab62b5980f6ad4211effce2e3f0726e69afb55441999e264ea25512db0e6d584d4c7e3c949429c9b81c

    • SSDEEP

      98304:XIPanxb7sGW9NcEJn5kKxGOd82SqTxaA/XjOqC1kIq9o8ha:Ys7sGqNcLGGOJSeV7L9o

    Score
    10/10
    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks