Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
StandShooter.bat
-
Size
511KB
-
Sample
240601-cty4vsfc83
-
MD5
537886f4e49111f326e5d90e4c38c7d1
-
SHA1
57b09c800cba244e68d317a0960f041aee468360
-
SHA256
dc4ad7f04bd7f277494092d4db0c337b1b4bbe5d0bc8a667babf5f3045144416
-
SHA512
0deb228bf17e218fdf7f98f49f89c1f25ee059c95887a697afbe64acbf3411f022eb80ee5349e8e44658511609e0c585aa501cb645439bc97088ba169f7c8107
-
SSDEEP
12288:ZUxYtgKHokLaJ7vOYOXba/SQUfnQmD+D7Mep3O44:ZUxxBy8vuXhsmDfse44
Malware Config
Extracted
xworm
127.0.0.1:57023
Name1442-57023.portmap.host:57023
-
Install_directory
%Temp%
-
install_file
Stand.exe
Targets
-
-
Target
StandShooter.bat
-
Size
511KB
-
MD5
537886f4e49111f326e5d90e4c38c7d1
-
SHA1
57b09c800cba244e68d317a0960f041aee468360
-
SHA256
dc4ad7f04bd7f277494092d4db0c337b1b4bbe5d0bc8a667babf5f3045144416
-
SHA512
0deb228bf17e218fdf7f98f49f89c1f25ee059c95887a697afbe64acbf3411f022eb80ee5349e8e44658511609e0c585aa501cb645439bc97088ba169f7c8107
-
SSDEEP
12288:ZUxYtgKHokLaJ7vOYOXba/SQUfnQmD+D7Mep3O44:ZUxxBy8vuXhsmDfse44
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-