Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    XClient.exe

  • Size

    183KB

  • Sample

    240526-c2sxtace64

  • MD5

    2b2588dbc679d917268e4ec17783db91

  • SHA1

    5d3d9b5e548972155ebf7fb8506eeb87ee8d1c85

  • SHA256

    a089baba4b046b231c5008343025b97f47bab795bdebd0fb47c608053ba4d8b8

  • SHA512

    11615bbf4477ad683b5cfd5ecf1fbffb7ec957a76b47c012de67f7540ac26b42e63c965cbc028da9430a43f340b4889c5b80de416f83364d6b8d1783c41f4c86

  • SSDEEP

    3072:JMf71a4l72Me/sigR1b60M7MDVOyFMgBz65/M6If+3Js+3JFkKeTno:JyPrbjM7KxBt25

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    Spoofer.exe

Targets

    • Target

      XClient.exe

    • Size

      183KB

    • MD5

      2b2588dbc679d917268e4ec17783db91

    • SHA1

      5d3d9b5e548972155ebf7fb8506eeb87ee8d1c85

    • SHA256

      a089baba4b046b231c5008343025b97f47bab795bdebd0fb47c608053ba4d8b8

    • SHA512

      11615bbf4477ad683b5cfd5ecf1fbffb7ec957a76b47c012de67f7540ac26b42e63c965cbc028da9430a43f340b4889c5b80de416f83364d6b8d1783c41f4c86

    • SSDEEP

      3072:JMf71a4l72Me/sigR1b60M7MDVOyFMgBz65/M6If+3Js+3JFkKeTno:JyPrbjM7KxBt25

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks