Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    new.bat

  • Size

    25KB

  • Sample

    240711-xht1zszbjj

  • MD5

    2a6aaf30c4f4fb95035d448aea4b452e

  • SHA1

    c4705f2f325c3c0665ce479b79621ba03d9d4382

  • SHA256

    0fccf3d1fb38fa337baf707056f97ef011def859901bb922a4d0a1f25745e64f

  • SHA512

    22109814422f467121c80c0155615fb72105c369b91e0617e11f011c661c738ce7a59272ae362a3d3c171fb874c53c24094d742feb73ab01b5f5466dd6b8b292

  • SSDEEP

    768:Hrr046orC222qPZDorKS/A8r0grKZr5LmnfcY+ecZhs7rRgE9plN7rAZo1hR7rCy:X

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

todfg.duckdns.org:6745

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

Version

3.1

C2

welxwrm.duckdns.org:8292

xwor3july.duckdns.org:9402

Mutex

jAJi0qnpBIvDTnnL

Attributes
  • install_file

    USB.exe

aes.plain
aes.plain

Extracted

Family

xworm

Version

5.0

C2

rvxwrm5.duckdns.org:9390

Mutex

paSw6o6yxKyyWEhP

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

anachyyyyy.duckdns.org:7878

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      new.bat

    • Size

      25KB

    • MD5

      2a6aaf30c4f4fb95035d448aea4b452e

    • SHA1

      c4705f2f325c3c0665ce479b79621ba03d9d4382

    • SHA256

      0fccf3d1fb38fa337baf707056f97ef011def859901bb922a4d0a1f25745e64f

    • SHA512

      22109814422f467121c80c0155615fb72105c369b91e0617e11f011c661c738ce7a59272ae362a3d3c171fb874c53c24094d742feb73ab01b5f5466dd6b8b292

    • SSDEEP

      768:Hrr046orC222qPZDorKS/A8r0grKZr5LmnfcY+ecZhs7rRgE9plN7rAZo1hR7rCy:X

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Async RAT payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks