Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe

  • Size

    1.5MB

  • Sample

    240704-d7hvgavarh

  • MD5

    fcb52672d473cf136f8bfa03d3e60aa0

  • SHA1

    8398a8fa2c8b909d49b9e3d19a6417d96a8bc2e6

  • SHA256

    385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077

  • SHA512

    db161e6c1d8062eda2bac28844d097fb86697d9ecc0e811a70b3438537ff6ab9c07cb8a47085fb348e918a73be69c6eb3389049bce32c651d1ee6766a2e32273

  • SSDEEP

    24576:yFU+Ar0D+GNlhWwTzJEealEsmzbLaneJL09JI9FJavZBBVdB9+WxkePMKQ3pBXdn:Jp0yyWwPxpbouV/EPB58WCedQ5B2w6C5

Malware Config

Extracted

Family

xworm

C2

usr-internal.gl.at.ply.gg:36003

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    dllhost.exe

  • telegram

    https://api.telegram.org/bot7268230993:AAH2vZGQkcYKKsL-PgJE8FiLxJ6qFOIFXxw/sendMessage?chat_id=7213459827

Targets

    • Target

      385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe

    • Size

      1.5MB

    • MD5

      fcb52672d473cf136f8bfa03d3e60aa0

    • SHA1

      8398a8fa2c8b909d49b9e3d19a6417d96a8bc2e6

    • SHA256

      385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077

    • SHA512

      db161e6c1d8062eda2bac28844d097fb86697d9ecc0e811a70b3438537ff6ab9c07cb8a47085fb348e918a73be69c6eb3389049bce32c651d1ee6766a2e32273

    • SSDEEP

      24576:yFU+Ar0D+GNlhWwTzJEealEsmzbLaneJL09JI9FJavZBBVdB9+WxkePMKQ3pBXdn:Jp0yyWwPxpbouV/EPB58WCedQ5B2w6C5

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks