Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    topware-beta.rar

  • Size

    7.6MB

  • Sample

    240707-dv8kcsvcqh

  • MD5

    cbab2799ab5ed6e4cfd0e90732f8c753

  • SHA1

    864db886d8fc8ef3f506681d9a8715c9b7d5ec4d

  • SHA256

    e55752ce0e4bdc9426430bf580efd1559864d24c3c0f118d58ff513e6d618fd1

  • SHA512

    9a396e4e1a6fb54f1b9eec652da7f906768360953f312bf4d705bd39b406157aa87f8ae8785696eaa538272f769ecbf97f5cd80f87b0ff95319e7ca1f40e5214

  • SSDEEP

    196608:kTFmL8iYNZoL66tULFG9BSZmvnHv3t04+VdqhGIEfpx:kxMWZ++LF/ZmvHv3S4+rqhCpx

Malware Config

Extracted

Family

xworm

C2

79.110.49.233:4444

Attributes
  • Install_directory

    %AppData%

  • install_file

    VSREDIST.exe

Targets

    • Target

      bin/antvms.dll

    • Size

      319KB

    • MD5

      0867c6c53da333c4a0572e64b2d7466f

    • SHA1

      41aced5a92ab64c178177adf12ede86c4a42d1fd

    • SHA256

      8372b3b2bd6d1bb1c8beb2780989554dd5599625981d7f297c38e5a870f703cc

    • SHA512

      0c2dc57f1c93b51233ccd33fca871a6bac8dd002deb8b7d1b86fca5d4433255dd51928947069f99936e4099b779bd47ae3dcb20de4cccef282ee0fa2f9975ce3

    • SSDEEP

      6:kdYZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ9:kdG

    Score
    1/10
    • Target

      bin/debug/AnyDesk.exe

    • Size

      5.1MB

    • MD5

      aee6801792d67607f228be8cec8291f9

    • SHA1

      bf6ba727ff14ca2fddf619f292d56db9d9088066

    • SHA256

      1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

    • SHA512

      09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f

    • SSDEEP

      98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

    Score
    5/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      bin/debug/debug.main.exe

    • Size

      64KB

    • MD5

      36969de6b4bf8de24684de1bb71f624f

    • SHA1

      0327d7d9d7f739e4b09bab680249ed997a281c9b

    • SHA256

      57035572212814c4666994f1a0d2b6955b0951a8f1e9e1686dead895de5f64cf

    • SHA512

      cd8eae1b19c8ae9a2d22b999e85e86625a1e74630e6f3155ff63965b8f116e62f79dcc23b88c92f51fa42ee26f7bd87cad22a21f32f16306890576e309dfe548

    • SSDEEP

      1536:TTodvW06WoBsscJSbigiYUVkaNW6PmqCO26erLq:UenWissBbigHmkaRmHO26erLq

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      bin/release/release.exe

    • Size

      64KB

    • MD5

      36969de6b4bf8de24684de1bb71f624f

    • SHA1

      0327d7d9d7f739e4b09bab680249ed997a281c9b

    • SHA256

      57035572212814c4666994f1a0d2b6955b0951a8f1e9e1686dead895de5f64cf

    • SHA512

      cd8eae1b19c8ae9a2d22b999e85e86625a1e74630e6f3155ff63965b8f116e62f79dcc23b88c92f51fa42ee26f7bd87cad22a21f32f16306890576e309dfe548

    • SSDEEP

      1536:TTodvW06WoBsscJSbigiYUVkaNW6PmqCO26erLq:UenWissBbigHmkaRmHO26erLq

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      bin/trafficencryptor.dll

    • Size

      346KB

    • MD5

      5a188b7f782eb697fb5e12c630bcbea2

    • SHA1

      ed665dddb109b219c91d494d1a3433dedab6381e

    • SHA256

      8582cd4cfffb6fd4c99ee69ad316c737c9e72d96e6b9c4a470f43743d0f431e9

    • SHA512

      3fd5dd66fa12bf4870ed78bd20d6a8f1e9effbee8022455206bae24b635d380cccda9f47d472ebd0e8062981a0a0a4428d277a392c7ea1c351b28af9eccbfd4a

    • SSDEEP

      6:kdYZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZO:kdR7l

    Score
    1/10
    • Target

      bin/xfcmain.dll

    • Size

      326KB

    • MD5

      ba72f62f7cdb4935d667925625df9559

    • SHA1

      908b431bea3fc6b65941276a7662c69266e15490

    • SHA256

      b33b11b3033529ff05539ff55c8c3cb476fedb28c3e62df8235ba6ff3b3b20c9

    • SHA512

      abaad730a6e099bf6d584a15e397efc4e6e357da31975b9cee8e4a60e4a0301723714fb473c31fbaa1a1b374e3cc648b0b75fdf75d8368722eaa2aab24a073be

    • SSDEEP

      6:kdYZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZk:kd7dz1

    Score
    1/10
    • Target

      bin/xfcstart.dll

    • Size

      339KB

    • MD5

      88768a731826f71373c397cf874046de

    • SHA1

      c90a75c75986e55a3c358f2056df810560c84612

    • SHA256

      f434f0d8a67c84bbc9baf18bcbfdff3ce338da3442d135067a22b87c238d6675

    • SHA512

      930f754dd59f31c5ef9710104e40f6024c5a49c0d76c16902562b90c887024d3053695a10ba7c8303be441d71d0150d02dc76b6059afb614f83339dad90508b1

    • SSDEEP

      6:kdYZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ9:kdG

    Score
    1/10
    • Target

      debugger.exe

    • Size

      64KB

    • MD5

      36969de6b4bf8de24684de1bb71f624f

    • SHA1

      0327d7d9d7f739e4b09bab680249ed997a281c9b

    • SHA256

      57035572212814c4666994f1a0d2b6955b0951a8f1e9e1686dead895de5f64cf

    • SHA512

      cd8eae1b19c8ae9a2d22b999e85e86625a1e74630e6f3155ff63965b8f116e62f79dcc23b88c92f51fa42ee26f7bd87cad22a21f32f16306890576e309dfe548

    • SSDEEP

      1536:TTodvW06WoBsscJSbigiYUVkaNW6PmqCO26erLq:UenWissBbigHmkaRmHO26erLq

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      execution.dll

    • Size

      1.3MB

    • MD5

      09cba584aa0aae9fc600745567393ef6

    • SHA1

      bbd1f93cb0db9cf9e01071b3bed1b4afd6e31279

    • SHA256

      0babd84d4e7dc2713e7265d5ac25a3c28d412e705870cded6f5c7c550a5bf8d5

    • SHA512

      5f914fa33a63a6d4b46f39c7279687f313728fd5f8437ec592369a2da3256ccff6f325f78ace0e6d3a2c37da1f681058556f7603da13c45b03f2808f779d2aa1

    • SSDEEP

      24576:5Ac2t6Twn/0ke6ruDPMY0BQJzTzAC991g44ekgpqc4CQKZi5P9xh0gsWLgiHesms:q6TmQJrXg44ekgpqc4CQKZi5P9xh0gsI

    Score
    1/10
    • Target

      injectprint.dll

    • Size

      3.9MB

    • MD5

      3b4647bcb9feb591c2c05d1a606ed988

    • SHA1

      b42c59f96fb069fd49009dfd94550a7764e6c97c

    • SHA256

      35773c397036b368c1e75d4e0d62c36d98139ebe74e42c1ff7be71c6b5a19fd7

    • SHA512

      00cd443b36f53985212ac43b44f56c18bf70e25119bbf9c59d05e2358ff45254b957f1ec63fc70fb57b1726fd8f76ccfad8103c67454b817a4f183f9122e3f50

    • SSDEEP

      49152:OS7PQ+besnXqRtHKzhwSsz6Ku1FVVOsLQuouM0MeAD36FqxLfeIgSNwLTzHiU2Ir:O4PhqqFVUsLQl6FqVCLTzHxJIMd

    Score
    3/10
    • Target

      lz4.dll

    • Size

      117KB

    • MD5

      f7e2f224f8dbe22012c7ff20590b8770

    • SHA1

      99775e038e306a2b5f73f6e7d8d42a5799ace824

    • SHA256

      c62f829bc0f820bca6bf14b380b285a169cd1395df864bbec692f8ca31bc4e70

    • SHA512

      96d2938cd77b48e4efdc7212a92327ac5ce43ad757fcff88eb5cbd3eb2fac1bbcaa2e119881f3cb902c634db8ef16e69146ebfe972ab0ecb2cf3b769e0818f89

    • SSDEEP

      1536:FVP0R6tS1m4baJ1ocCcl+DBZD5C3gTg60bEior69ggjpA38Ajcqv:Fxy9bs1oTfBZDugTgpbEXh0A38AYk

    Score
    1/10
    • Target

      offsets.dll

    • Size

      1021B

    • MD5

      d0b33be30e3ef0fe9e272061a12ee79a

    • SHA1

      d4e62e1bf492a991537659c469ebabcb75b4d49f

    • SHA256

      8d4cdee0284fbede0c15b61d79d3ff85c1a00a30cc99a469def972e0a044c36d

    • SHA512

      c6f25b7d2b32bcfafb25e7e21fb0cc346bf844cbae2e27b78bede4939eb39647e6eed97da3699bd2d5f07e7cc0c1005c6ca6840136a729974c10ffdd6438f247

    Score
    1/10
    • Target

      topware.inject.dll

    • Size

      17KB

    • MD5

      690738776ba844a6d7d98d8c2ca97737

    • SHA1

      c852b8a53e895248b1a182bd4f737bc2a3f1ea3b

    • SHA256

      e5b4c0d091db6e95151fa55843b57639e78e2af97d55177fe9e628955f1fc900

    • SHA512

      ca05b797535703c8f369d3b7fb5d82813a20d4ea8cd03e7fa26ce2c7059a30fdfc5ffb7317eab9330e161f0fc5196730424720c8c816c3ab90b3703e43ee98d4

    • SSDEEP

      192:YWUl1a80XXXPll3iYskmr3COA4TJr6cdcvGxTq6bdxTOZU+OVkWLPisOI7pTh:YWUl1aJHPll3iLdJrrdcvGpQ9kn

    Score
    3/10
    • Target

      topware.py

    • Size

      1KB

    • MD5

      a8c73f5f04db064ac16b41efaa8b591c

    • SHA1

      4da291c845b26e199131c746829e9f04eb5198d3

    • SHA256

      264cae1900046b4f1fb0294f852e67e94d226b84ef75b6388cfd5c762197f843

    • SHA512

      d2ec2c603fd9cf58becd6698faaf182434b4c23d22bfc1cc456a841e92f32e15dd038442e54d854edd2c2c1e2ba8465d200d971b7a381cd319c5ac797a651b7a

    Score
    3/10
    • Target

      xxhash.dll

    • Size

      45KB

    • MD5

      161bd3d60228dd16c54a927250af3e49

    • SHA1

      463243c3cc2e0bca16f3ced2c3b70c13a0e97fa6

    • SHA256

      ecb5aa2bf0ff355a7b36bb3a991264655e13e0f2c9e88b9dfa39d7fe4c5142a7

    • SHA512

      3716ce34c1e9931007f374685a6588bc355e942872e7a42eaa4c5be9a0fdc93f081a1dc5c3d8fec4a4563dbd556f4d046f7bf3d50840c02d8aa822eaca7a577b

    • SSDEEP

      768:I9otvM7DZ1LMDJdj+LVvgFlJus4zBOQdlyR0/A:I9UEDLMDJxKM0scUS

    Score
    1/10
    • Target

      zinl1.dll

    • Size

      1.2MB

    • MD5

      a396ee8375252d04da31676fe1b3ff75

    • SHA1

      57aee1e5b69a85d0e0b7d5a103ddb683f0204cce

    • SHA256

      7dc3aeda7518abb376a6932583669e7e1595a656edeae65af1397807322e8a25

    • SHA512

      ff755bed789869a8cc2adc05b7a3b234ef93997b1774cc719d506ce4dd03fcd0ed6d320a13d815e27a21ebdf99f3308ea47a8de6b9a25ca4eaa8fb4045fbb0db

    • SSDEEP

      24576:yoCqsxtqSepCBr5fFrHodqht+tmiw9P9TsdJRV5Wodh8NHmoz:3CzASep0r5fFrHoUht+tU9TsrRV5WodE

    Score
    1/10
    • Target

      zlib1.dll

    • Size

      87KB

    • MD5

      f6fc96cfccdd9958a157546faa4c13a9

    • SHA1

      ae8e4171a0583a761ae4428e5757daeedaf2a157

    • SHA256

      231e29c228652e9d6504e608a1cc53311e762cd4c78deb7c9ef11bc27f13d3da

    • SHA512

      fb983083b5c620616d2547a7903f8ebfd2ad52ed9bdde8264b6e555fb47644c488779d3ade52f5e601dbc31e67f40ea973f41f45af242790dc5d8a91c163c8dc

    • SSDEEP

      1536:Q7wjHHWwn1rhEzjEp70E2thqlz4bqIOcIOZFkGnd02H:QcjH2w1EjEpIq6b4SZFfndjH

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks

static1

xworm
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
5/10

behavioral4

Score
5/10

behavioral5

xwormexecutionpersistencerattrojan
Score
10/10

behavioral6

xwormexecutionpersistencerattrojan
Score
10/10

behavioral7

xwormexecutionpersistencerattrojan
Score
10/10

behavioral8

xwormexecutionpersistencerattrojan
Score
10/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

xwormexecutionpersistencerattrojan
Score
10/10

behavioral16

xwormexecutionpersistencerattrojan
Score
10/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
3/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

execution
Score
3/10

behavioral25

execution
Score
3/10

behavioral26

Score
3/10

behavioral27

Score
3/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10