Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    20240517d9456bbb0c30222c673c9205375f5859snatch.bin

  • Size

    4.8MB

  • Sample

    240517-vqxezahh8t

  • MD5

    d9456bbb0c30222c673c9205375f5859

  • SHA1

    1d99cfb5272f0c07ffba97135073968fc1454f88

  • SHA256

    945398c017348a3ddd4dbea5c7920f120ce2bed2a2bad117ad4be7258668218a

  • SHA512

    f18dfdd983ff46a60fbd8102aba350971502fa3c2c78f5dcec09893d38e7369134de6ea1d490f87314fcb885981313d58306b8e8a5fd26c1664e877cf1910f35

  • SSDEEP

    49152:xJqRbtKTC/Mx7NieQvCs7VOxDIt5E9id0HoCYtnl/4z6PZN:b8JKTXx7Ns70x2EPmh4O

Malware Config

Extracted

Family

xworm

Version

5.0

aes.plain

Targets

    • Target

      20240517d9456bbb0c30222c673c9205375f5859snatch.bin

    • Size

      4.8MB

    • MD5

      d9456bbb0c30222c673c9205375f5859

    • SHA1

      1d99cfb5272f0c07ffba97135073968fc1454f88

    • SHA256

      945398c017348a3ddd4dbea5c7920f120ce2bed2a2bad117ad4be7258668218a

    • SHA512

      f18dfdd983ff46a60fbd8102aba350971502fa3c2c78f5dcec09893d38e7369134de6ea1d490f87314fcb885981313d58306b8e8a5fd26c1664e877cf1910f35

    • SSDEEP

      49152:xJqRbtKTC/Mx7NieQvCs7VOxDIt5E9id0HoCYtnl/4z6PZN:b8JKTXx7Ns70x2EPmh4O

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks