Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    WizWorm (Modified XWorm).zip

  • Size

    24.8MB

  • Sample

    240715-txp4sssbqb

  • MD5

    32ecce31bdf92872683db61212ff5680

  • SHA1

    5f6b12892d7e2ef406a890207b0e7cfede5b3c66

  • SHA256

    e38c9eb5ca2d9e9f287e914cc3b6c667cb64aaa4251671e268d741b95da2dd80

  • SHA512

    8da875b941b937a43b13786179a33e9062742dadc6cebed36a10b4182c5e79074293b09cfe212400eca83c8c08cc5ca3756a48d5f05f606e2cab92a7e6e3c0c7

  • SSDEEP

    786432:wMzXzpPSOsuxVYWR2LHsdOVGRRCCxbLwjTtDTgV:wMzXzpPSLuv/2LMUURHuTI

Malware Config

Extracted

Family

xworm

C2

auto-london.gl.at.ply.gg:51655

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    NigNigRat.exe

Targets

    • Target

      WizWorm (Modified XWorm)/WizWorm.exe

    • Size

      99KB

    • MD5

      a9b00ac5f9c02e540c61381a5fae62c3

    • SHA1

      273e272cc73d519c5cba2839de4e6043fd8977b0

    • SHA256

      3ad4aa1921b844c635bbeef2a492a3d1ff134af6a38a1c31d7d264da3e192a38

    • SHA512

      924316a6cd0b91617d23010cc031ccbc1a99c4d72f9199fb3215d68ae6ea6cc9c3a4888777bf4c72d920d940e68b828a4ede75c299a5f7b7f804250cea4ae570

    • SSDEEP

      1536:n1vP5KmktoR0wQNB+QC+ZMh/uFPah6x2C4bFwOL/n6106/Y7FwoOLTrXatVSFayK:VxLCLN06PahfLbFZL/6PWZOL6GPPy

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks