Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Solara_Protect.bat
-
Size
3.1MB
-
Sample
240701-tk7s3ssclk
-
MD5
49f8779d69c5572c5534a2b83f90334b
-
SHA1
edbeaff47d9b2fe4244b9710e014924189c086b6
-
SHA256
e3120bc12c0d1c82b3d719e8d095fcee2bba9571d2ad85e9e2b1b2dae921cc49
-
SHA512
a34cb31c8bdccced3167a1df44e6635cf66ddc544246115639727611aab578e576e98297be42d9496971da4b35db5f8359b8b06499009d885269e3ad3e5fd6bc
-
SSDEEP
3072:4VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVQKCoBA+17vLt/fC2:kTP3tivHMMMMMMWCYYYYU
Malware Config
Extracted
xworm
anyone-blogging.gl.at.ply.gg:22284
-
Install_directory
%Userprofile%
-
install_file
XClient.exe
Targets
-
-
Target
Solara_Protect.bat
-
Size
3.1MB
-
MD5
49f8779d69c5572c5534a2b83f90334b
-
SHA1
edbeaff47d9b2fe4244b9710e014924189c086b6
-
SHA256
e3120bc12c0d1c82b3d719e8d095fcee2bba9571d2ad85e9e2b1b2dae921cc49
-
SHA512
a34cb31c8bdccced3167a1df44e6635cf66ddc544246115639727611aab578e576e98297be42d9496971da4b35db5f8359b8b06499009d885269e3ad3e5fd6bc
-
SSDEEP
3072:4VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVQKCoBA+17vLt/fC2:kTP3tivHMMMMMMWCYYYYU
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1