Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    chrome.exe

  • Size

    157KB

  • Sample

    240406-1lg3dabh2s

  • MD5

    25060bd356ab33ef0d384d3e1604b3a2

  • SHA1

    7460a12aeb3735df974921e8ae2e933371cbb96b

  • SHA256

    53775b3af0da7e20661ac7779099b3e0ed21c28197edb9fe8702eabca3e94a91

  • SHA512

    b75ee64cd7048383ef64199627312d613b5f2e2e89783050e8bc885b504ff15d0b6fa53434bc792081a40d512286199e853bed34c0c081305c5805bdd8b5c862

  • SSDEEP

    3072:Ajycy37zaF09LmmOC14NpVq8BxFRzaqF+o2GQJ7/JzqVfGvZ:A9yc09qogVqwlL

Malware Config

Extracted

Family

xworm

Version

5.0

aes.plain

Targets

    • Target

      chrome.exe

    • Size

      157KB

    • MD5

      25060bd356ab33ef0d384d3e1604b3a2

    • SHA1

      7460a12aeb3735df974921e8ae2e933371cbb96b

    • SHA256

      53775b3af0da7e20661ac7779099b3e0ed21c28197edb9fe8702eabca3e94a91

    • SHA512

      b75ee64cd7048383ef64199627312d613b5f2e2e89783050e8bc885b504ff15d0b6fa53434bc792081a40d512286199e853bed34c0c081305c5805bdd8b5c862

    • SSDEEP

      3072:Ajycy37zaF09LmmOC14NpVq8BxFRzaqF+o2GQJ7/JzqVfGvZ:A9yc09qogVqwlL

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks