Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Solara_Protect.bat

  • Size

    3.1MB

  • Sample

    240701-tk7s3ssclk

  • MD5

    49f8779d69c5572c5534a2b83f90334b

  • SHA1

    edbeaff47d9b2fe4244b9710e014924189c086b6

  • SHA256

    e3120bc12c0d1c82b3d719e8d095fcee2bba9571d2ad85e9e2b1b2dae921cc49

  • SHA512

    a34cb31c8bdccced3167a1df44e6635cf66ddc544246115639727611aab578e576e98297be42d9496971da4b35db5f8359b8b06499009d885269e3ad3e5fd6bc

  • SSDEEP

    3072:4VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVQKCoBA+17vLt/fC2:kTP3tivHMMMMMMWCYYYYU

Malware Config

Extracted

Family

xworm

C2

anyone-blogging.gl.at.ply.gg:22284

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    XClient.exe

Targets

    • Target

      Solara_Protect.bat

    • Size

      3.1MB

    • MD5

      49f8779d69c5572c5534a2b83f90334b

    • SHA1

      edbeaff47d9b2fe4244b9710e014924189c086b6

    • SHA256

      e3120bc12c0d1c82b3d719e8d095fcee2bba9571d2ad85e9e2b1b2dae921cc49

    • SHA512

      a34cb31c8bdccced3167a1df44e6635cf66ddc544246115639727611aab578e576e98297be42d9496971da4b35db5f8359b8b06499009d885269e3ad3e5fd6bc

    • SSDEEP

      3072:4VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVQKCoBA+17vLt/fC2:kTP3tivHMMMMMMWCYYYYU

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks