Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    XClient.exe

  • Size

    305KB

  • Sample

    240502-ybs1sagd47

  • MD5

    aa86049b23de9ca25639df01e72ce4c3

  • SHA1

    fe1e95c2983c448187dc401150621ff43a40b6f0

  • SHA256

    4fea20fe413398e2d8db3ff8ad61c02cfeae0df6044b39fb01d3c56f45df2994

  • SHA512

    2786ae00580698a79ff885f30fa2a87fee3e03d180fd1b42e7f4a3b4433e19451b614f2fd632b06ecebbfa577215e38bfd2276575d4ffddbbeeee8eb1b1ce732

  • SSDEEP

    6144:BhYI9d+GIIIIIIIhIIIIIIIIIIIIIIIU:a

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:18657

5.tcp.eu.ngrok.io:18657

Mutex

abH6MtVFLvlMhC1I

Attributes
  • Install_directory

    %AppData%

  • install_file

    HumanFallFlat.exe

aes.plain

Targets

    • Target

      XClient.exe

    • Size

      305KB

    • MD5

      aa86049b23de9ca25639df01e72ce4c3

    • SHA1

      fe1e95c2983c448187dc401150621ff43a40b6f0

    • SHA256

      4fea20fe413398e2d8db3ff8ad61c02cfeae0df6044b39fb01d3c56f45df2994

    • SHA512

      2786ae00580698a79ff885f30fa2a87fee3e03d180fd1b42e7f4a3b4433e19451b614f2fd632b06ecebbfa577215e38bfd2276575d4ffddbbeeee8eb1b1ce732

    • SSDEEP

      6144:BhYI9d+GIIIIIIIhIIIIIIIIIIIIIIIU:a

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks