Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    receipt_usps.vhd

  • Size

    9.0MB

  • Sample

    240405-nw49fabe39

  • MD5

    835b1e409a1c6bb2c9b4af67fb3b2d71

  • SHA1

    f5065d35b91b9ec284cbffc85ee78e7ea8a16389

  • SHA256

    16da17a7d922a490fd554b01f0ba1f2cbc46605ac8f8417a233e68a595e24051

  • SHA512

    9a9881c822263cea9bd08f552b58fc4d3b21705127e3080df7dabfd29a797c813a33befd1a8361d3e6beb3b4536ba9cad7653511ba92aa32d57fbf19c2add0f9

  • SSDEEP

    49152:Nb/WCLE4eDqB4a6imkqcvBjXIjVUgwt5Og:kCQliq0BTI5UIg

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

UxOlPOZZNwNV9srk

Attributes
  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/Dh8E7H3R

aes.plain

Extracted

Family

xworm

Version

3.1

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/Dh8E7H3R

Targets

    • Target

      logo/receipt.vbs

    • Size

      4KB

    • MD5

      22d736ac0bfacea4d23dbaf9412d329a

    • SHA1

      b2990e0c9f9549b1f8cc3dceec47663b975cbb36

    • SHA256

      c5a2fd9c057765f6eb2bde2cc86317b53d8418117c9e1362596e067b44ea7d04

    • SHA512

      bfdd54f8e400e9c516cf5c73f1ba17b2a5c44fe9d14ada37efaff35c38d30c7849ad1dfb32a3d877742631a60c462832e079994de5fe65044a2941eaa0770904

    • SSDEEP

      96:LQUUjcFSoSqUnPkPKOTK6yjbo+yHQUJ8fLGZ2k7:dYcFh5UsPKOTJcoLMw2k7

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      parcel_shipping_label.lnk

    • Size

      1002B

    • MD5

      a0abe64514f25b2564718dadc6f077c9

    • SHA1

      aa6b93ee0817e74d66d8fbcb475442d7071c1b6f

    • SHA256

      82ba6734f458e88dc2465ff8152fb0de8a33e08163da64c9653d8c89f9dae8c2

    • SHA512

      ff504e33e1dbd8af157e6c1fb3fdfc0d8fe735e1f347cd90f9cc15ec04151b06078e1d926b9fd25e817d2417185ad1972d759f113d96c2c3595d2ec88cfc4402

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks