Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Free.bat

  • Size

    190KB

  • Sample

    240704-xmhhratdkp

  • MD5

    6a1fd175668c34faf07a9f82dcd61884

  • SHA1

    b2232ad243c3596bc29716d085a6bc8ba328e12c

  • SHA256

    1a158ec89f3a579cb370fce8c79de20c4943b84d584ff2f63d476209f3c29873

  • SHA512

    e66d20eb6d80fea715096c073ff41ece7ca243ccc4dd5ccf216261c64147660bcfa780d044f4d9cdcb212ca65c2b4309ab07253cbbbcf8ef90706b03a729a2c3

  • SSDEEP

    3072:f4UH4Z5TsZPHVN70jXQw0o26RdIrQGgjStDcejhbXvqR61dqWsjocgcsR3gTEcat:fDtVN70cwV2MIlrtD9bXCWqWgocIwbx4

Malware Config

Extracted

Family

xworm

C2

executive-factory.gl.at.ply.gg:58101

Attributes
  • install_file

    USB.exe

Targets

    • Target

      Free.bat

    • Size

      190KB

    • MD5

      6a1fd175668c34faf07a9f82dcd61884

    • SHA1

      b2232ad243c3596bc29716d085a6bc8ba328e12c

    • SHA256

      1a158ec89f3a579cb370fce8c79de20c4943b84d584ff2f63d476209f3c29873

    • SHA512

      e66d20eb6d80fea715096c073ff41ece7ca243ccc4dd5ccf216261c64147660bcfa780d044f4d9cdcb212ca65c2b4309ab07253cbbbcf8ef90706b03a729a2c3

    • SSDEEP

      3072:f4UH4Z5TsZPHVN70jXQw0o26RdIrQGgjStDcejhbXvqR61dqWsjocgcsR3gTEcat:fDtVN70cwV2MIlrtD9bXCWqWgocIwbx4

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks