Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
XClient.exe
-
Size
305KB
-
Sample
240502-ybs1sagd47
-
MD5
aa86049b23de9ca25639df01e72ce4c3
-
SHA1
fe1e95c2983c448187dc401150621ff43a40b6f0
-
SHA256
4fea20fe413398e2d8db3ff8ad61c02cfeae0df6044b39fb01d3c56f45df2994
-
SHA512
2786ae00580698a79ff885f30fa2a87fee3e03d180fd1b42e7f4a3b4433e19451b614f2fd632b06ecebbfa577215e38bfd2276575d4ffddbbeeee8eb1b1ce732
-
SSDEEP
6144:BhYI9d+GIIIIIIIhIIIIIIIIIIIIIIIU:a
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win11-20240419-en
Malware Config
Extracted
xworm
5.0
127.0.0.1:18657
5.tcp.eu.ngrok.io:18657
abH6MtVFLvlMhC1I
-
Install_directory
%AppData%
-
install_file
HumanFallFlat.exe
Targets
-
-
Target
XClient.exe
-
Size
305KB
-
MD5
aa86049b23de9ca25639df01e72ce4c3
-
SHA1
fe1e95c2983c448187dc401150621ff43a40b6f0
-
SHA256
4fea20fe413398e2d8db3ff8ad61c02cfeae0df6044b39fb01d3c56f45df2994
-
SHA512
2786ae00580698a79ff885f30fa2a87fee3e03d180fd1b42e7f4a3b4433e19451b614f2fd632b06ecebbfa577215e38bfd2276575d4ffddbbeeee8eb1b1ce732
-
SSDEEP
6144:BhYI9d+GIIIIIIIhIIIIIIIIIIIIIIIU:a
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-