Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    setup.exe

  • Size

    356KB

  • Sample

    240710-1d6qrs1dpm

  • MD5

    5783316be9eff4cebc0fedee80500e9d

  • SHA1

    61b5d82d9da372c011ae2bbe050ecc47cd8a7da5

  • SHA256

    a3959e3a8458fe1a3530b5866f7e970700cf156fc0b5f7ff015313fe62c984a5

  • SHA512

    53c3f6768358f19bcdce131d050685f3bfc260a96fbc8963390361942c524456b286efb3b2af0c612e36f76d9e1e51aa28f9b81c09d58bb15e60109a63c52513

  • SSDEEP

    6144:EhEN7+GRIGuXQs3frbL7rbL7rbL7rWG2mWG2mWG2mWG2mJ5pZJ5pZJ5pZJ7p0yNI:EG7dy90hSyWoYchYlVgFDuy+6

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:48802

those-situation.gl.at.ply.gg:48802

Attributes
  • Install_directory

    %AppData%

  • install_file

    x4host.exe

Targets

    • Target

      setup.exe

    • Size

      356KB

    • MD5

      5783316be9eff4cebc0fedee80500e9d

    • SHA1

      61b5d82d9da372c011ae2bbe050ecc47cd8a7da5

    • SHA256

      a3959e3a8458fe1a3530b5866f7e970700cf156fc0b5f7ff015313fe62c984a5

    • SHA512

      53c3f6768358f19bcdce131d050685f3bfc260a96fbc8963390361942c524456b286efb3b2af0c612e36f76d9e1e51aa28f9b81c09d58bb15e60109a63c52513

    • SSDEEP

      6144:EhEN7+GRIGuXQs3frbL7rbL7rbL7rWG2mWG2mWG2mWG2mJ5pZJ5pZJ5pZJ7p0yNI:EG7dy90hSyWoYchYlVgFDuy+6

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks