Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    InstallerVbs.vbs

  • Size

    104KB

  • Sample

    240510-yfezqahb34

  • MD5

    bc89449faa6c9e7bb2957178b31866ba

  • SHA1

    1e36383ec2124b42c951047dad01dd19d1f16ffd

  • SHA256

    750ba2dad733bc591d8e9d2354db33cb4a86d878c5e138419d5af4a899326111

  • SHA512

    87db7826c7f701658b782f3542f2bc2b6dd2f153181c770d0bc4c63c3300c10bf33f364590a94ae9d189b4028e965d0ede13ed3a9078a0b58e278ad6390da44f

  • SSDEEP

    3072:vx1nBT1JXFLckxCBv8I0o59j/cDJUt3YU6b/T0rCUdv47:ZF9CNt/QUVYUsQCUdv47

Malware Config

Extracted

Family

xworm

C2

mike-algebra.gl.at.ply.gg:55575

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      InstallerVbs.vbs

    • Size

      104KB

    • MD5

      bc89449faa6c9e7bb2957178b31866ba

    • SHA1

      1e36383ec2124b42c951047dad01dd19d1f16ffd

    • SHA256

      750ba2dad733bc591d8e9d2354db33cb4a86d878c5e138419d5af4a899326111

    • SHA512

      87db7826c7f701658b782f3542f2bc2b6dd2f153181c770d0bc4c63c3300c10bf33f364590a94ae9d189b4028e965d0ede13ed3a9078a0b58e278ad6390da44f

    • SSDEEP

      3072:vx1nBT1JXFLckxCBv8I0o59j/cDJUt3YU6b/T0rCUdv47:ZF9CNt/QUVYUsQCUdv47

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks