Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Particle.exe
-
Size
5.5MB
-
Sample
240706-ke58masejj
-
MD5
d41a6df7070f5d1231fd187c23ef90a2
-
SHA1
67e18070c757390732c2a11484549104f44de4b8
-
SHA256
163d8d2127a38630ef261ae21b46ecfdeb1198570a7317b9fccd7cf26da5248f
-
SHA512
0b9879beee9a9b16e42d5a2a511352afefb013c20c483abba5022ba3dc36ebb500e4069d3e24ddad5e01b2cc7483bbe247d0f27d0403dfb657fdc7c7edacb2c7
-
SSDEEP
49152:1iRhrIouNRGHaBEEnJ2DSyb6Fta4IlmfxNzR5c2wEnLjy5E7QaeUdBzHevxHeu0P:wXU3GHJJkfxlRanE0vd0l
Malware Config
Extracted
xworm
5.0
RTEfkblgnvG3OK7t
-
Install_directory
%Public%
-
install_file
ReAgentC.exe
-
pastebin_url
https://pastebin.com/raw/UWpQULMP
-
telegram
https://api.telegram.org/bot7420124943:AAF1r0gN9LdH2HJhpp3RjQMBU2cphBasfrs
Targets
-
-
Target
Particle.exe
-
Size
5.5MB
-
MD5
d41a6df7070f5d1231fd187c23ef90a2
-
SHA1
67e18070c757390732c2a11484549104f44de4b8
-
SHA256
163d8d2127a38630ef261ae21b46ecfdeb1198570a7317b9fccd7cf26da5248f
-
SHA512
0b9879beee9a9b16e42d5a2a511352afefb013c20c483abba5022ba3dc36ebb500e4069d3e24ddad5e01b2cc7483bbe247d0f27d0403dfb657fdc7c7edacb2c7
-
SSDEEP
49152:1iRhrIouNRGHaBEEnJ2DSyb6Fta4IlmfxNzR5c2wEnLjy5E7QaeUdBzHevxHeu0P:wXU3GHJJkfxlRanE0vd0l
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1