Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    XClient.exe

  • Size

    59KB

  • Sample

    240530-ywwx6shb2s

  • MD5

    d172c0a4ae3e8cef6a0a910bde62e195

  • SHA1

    51139fc633fe81a66c8ed55081f92ec5256bd0bd

  • SHA256

    94b65da2b5cc3728547f892a46e9c48c5d54477d10ea8e210304593acd3568e7

  • SHA512

    d82c930a42fd623aeee51007453d201e96110b546f1fb34080fc6d4c1488d71b3828f5f1833d347993444e4d332aa00fbb7b8922fce676d220375470ad0fa467

  • SSDEEP

    1536:9vv68xQQodoW8YTK6uDkbrfSVxwXSOqQ+k:1vjWQoGJYTK6CkbrfHSOqQ+k

Malware Config

Extracted

Family

xworm

C2

length-desert.gl.at.ply.gg:58023

%AppData%:9

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      XClient.exe

    • Size

      59KB

    • MD5

      d172c0a4ae3e8cef6a0a910bde62e195

    • SHA1

      51139fc633fe81a66c8ed55081f92ec5256bd0bd

    • SHA256

      94b65da2b5cc3728547f892a46e9c48c5d54477d10ea8e210304593acd3568e7

    • SHA512

      d82c930a42fd623aeee51007453d201e96110b546f1fb34080fc6d4c1488d71b3828f5f1833d347993444e4d332aa00fbb7b8922fce676d220375470ad0fa467

    • SSDEEP

      1536:9vv68xQQodoW8YTK6uDkbrfSVxwXSOqQ+k:1vjWQoGJYTK6CkbrfHSOqQ+k

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks