Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    new.bat

  • Size

    25KB

  • Sample

    240711-xht1zszbjj

  • MD5

    2a6aaf30c4f4fb95035d448aea4b452e

  • SHA1

    c4705f2f325c3c0665ce479b79621ba03d9d4382

  • SHA256

    0fccf3d1fb38fa337baf707056f97ef011def859901bb922a4d0a1f25745e64f

  • SHA512

    22109814422f467121c80c0155615fb72105c369b91e0617e11f011c661c738ce7a59272ae362a3d3c171fb874c53c24094d742feb73ab01b5f5466dd6b8b292

  • SSDEEP

    768:Hrr046orC222qPZDorKS/A8r0grKZr5LmnfcY+ecZhs7rRgE9plN7rAZo1hR7rCy:X

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

todfg.duckdns.org:6745

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
IL9ShbgkDRCmQ4yKCvfp38Kp3mMLaHMI

Extracted

Family

xworm

Version

3.1

C2

welxwrm.duckdns.org:8292

xwor3july.duckdns.org:9402

Mutex

jAJi0qnpBIvDTnnL

Attributes
  • install_file

    USB.exe

aes.plain
1
9hXlvpqPjo25JASdsUcrYA==
aes.plain
1
8L0v6TjJ7Ix53K1iXfw/cQ==

Extracted

Family

xworm

Version

5.0

C2

rvxwrm5.duckdns.org:9390

Mutex

paSw6o6yxKyyWEhP

Attributes
  • install_file

    USB.exe

aes.plain
1
q8uatjAfN4sDyimyHVv1TQ==

Extracted

Family

asyncrat

Botnet

Default

C2

anachyyyyy.duckdns.org:7878

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
NXN4AlhVbaCcJSg3ndPJ3uBIWfYloyWn

Targets

    • Target

      new.bat

    • Size

      25KB

    • MD5

      2a6aaf30c4f4fb95035d448aea4b452e

    • SHA1

      c4705f2f325c3c0665ce479b79621ba03d9d4382

    • SHA256

      0fccf3d1fb38fa337baf707056f97ef011def859901bb922a4d0a1f25745e64f

    • SHA512

      22109814422f467121c80c0155615fb72105c369b91e0617e11f011c661c738ce7a59272ae362a3d3c171fb874c53c24094d742feb73ab01b5f5466dd6b8b292

    • SSDEEP

      768:Hrr046orC222qPZDorKS/A8r0grKZr5LmnfcY+ecZhs7rRgE9plN7rAZo1hR7rCy:X

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Async RAT payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.