Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    nigger.exe

  • Size

    58KB

  • Sample

    240502-3h127abd63

  • MD5

    abb96dc265c42a9e9357b69cd911ffce

  • SHA1

    96a3619977f5b58a1cede6b960adca942e82d4e6

  • SHA256

    53fa4aaf3bd78521f9d402d0c793078353e6ff8f9d0ff7efcd8c686c79c69560

  • SHA512

    c56af566bb3ddf2731daa2a74936f0500b32ee36bd8184ee7c17924c9ed730b64bd4552a91fc55b870754e49196a30e6d414ba77bee960b18d4c9136e51087fb

  • SSDEEP

    1536:Bvf7dvzwTr1JVEUrq1xLAhhaL5b7JkbutjkfZNJN99Opv8gJaed:Bvf8CUrqMhILjkbu4Nn99OpEgTd

Malware Config

Extracted

Family

xworm

C2

dc-coleman.gl.at.ply.gg:42550

Attributes
  • Install_directory

    %AppData%

  • install_file

    runbroker300.exe

Targets

    • Target

      nigger.exe

    • Size

      58KB

    • MD5

      abb96dc265c42a9e9357b69cd911ffce

    • SHA1

      96a3619977f5b58a1cede6b960adca942e82d4e6

    • SHA256

      53fa4aaf3bd78521f9d402d0c793078353e6ff8f9d0ff7efcd8c686c79c69560

    • SHA512

      c56af566bb3ddf2731daa2a74936f0500b32ee36bd8184ee7c17924c9ed730b64bd4552a91fc55b870754e49196a30e6d414ba77bee960b18d4c9136e51087fb

    • SSDEEP

      1536:Bvf7dvzwTr1JVEUrq1xLAhhaL5b7JkbutjkfZNJN99Opv8gJaed:Bvf8CUrqMhILjkbu4Nn99OpEgTd

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks