Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    XClient.exe

  • Size

    217KB

  • Sample

    240616-k8xtcaxgqg

  • MD5

    aafb349d724a1b6ee29e233ce3de9fe2

  • SHA1

    6273688fc2a2f1216c4eab81232d03c65cd4745f

  • SHA256

    3004ad4cc1142ca3483bba1a3e5c2244802c0d2df43ba3c066056e2ba8ef1046

  • SHA512

    533af2f1093638fb181e43c9b12ff3e0fa4f599c824b1ec31181f86306cf7d626820a5cf7e70908cb21d77d91d7e6b7b09c696e056092fe3de0eb273f1d81618

  • SSDEEP

    1536:ZZrLnQSYxHCNJ9SEX+b8oeEVy6D5O3A8wunl+g5zU730/jyY:ZFQxHCNPD+b8+7O3AJC+L3HY

Malware Config

Extracted

Family

xworm

C2

20.ip.gl.ply.gg:25725

<Xwormmm>:123

Attributes
  • Install_directory

    %Temp%

  • install_file

    chiacago.exe

  • telegram

    https://api.telegram.org/bot7378508941:AAFi7xPXoDjOY7Whre_FGKytWzP0LZ_WBF8/sendMessage?chat_id=6877286426

Targets

    • Target

      XClient.exe

    • Size

      217KB

    • MD5

      aafb349d724a1b6ee29e233ce3de9fe2

    • SHA1

      6273688fc2a2f1216c4eab81232d03c65cd4745f

    • SHA256

      3004ad4cc1142ca3483bba1a3e5c2244802c0d2df43ba3c066056e2ba8ef1046

    • SHA512

      533af2f1093638fb181e43c9b12ff3e0fa4f599c824b1ec31181f86306cf7d626820a5cf7e70908cb21d77d91d7e6b7b09c696e056092fe3de0eb273f1d81618

    • SSDEEP

      1536:ZZrLnQSYxHCNJ9SEX+b8oeEVy6D5O3A8wunl+g5zU730/jyY:ZFQxHCNPD+b8+7O3AJC+L3HY

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks