Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Everything.exe

  • Size

    1.1MB

  • Sample

    240727-tyxv2axgrm

  • MD5

    574e3b1c4f468cf59768cf5ef84aeedc

  • SHA1

    ee826303db0bd1c8cdf79095b9297608df2f8891

  • SHA256

    f2b7f2e4d4b1e2552c5739f1d790b39a99b0487f2fb0696fb683d4dfc29a913b

  • SHA512

    312f4873cd47457e5c422f1a86343d7d91d935074fe8145c8da03a6244e4c36da1e532e38086ecf86f739f4cddeee978825a39af79da1b40c344cda71a64f8be

  • SSDEEP

    24576:YP3HZagB7Jn6C5cZiLQ7ZCyEib1GZexgvOxxH8Z3:Yf5aUsZ9sHibODvOx6Z3

Malware Config

Extracted

Family

xworm

C2

rights-refers.gl.at.ply.gg:8848

localhost:8848

127.0.0.1:8848

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Targets

    • Target

      Everything.exe

    • Size

      1.1MB

    • MD5

      574e3b1c4f468cf59768cf5ef84aeedc

    • SHA1

      ee826303db0bd1c8cdf79095b9297608df2f8891

    • SHA256

      f2b7f2e4d4b1e2552c5739f1d790b39a99b0487f2fb0696fb683d4dfc29a913b

    • SHA512

      312f4873cd47457e5c422f1a86343d7d91d935074fe8145c8da03a6244e4c36da1e532e38086ecf86f739f4cddeee978825a39af79da1b40c344cda71a64f8be

    • SSDEEP

      24576:YP3HZagB7Jn6C5cZiLQ7ZCyEib1GZexgvOxxH8Z3:Yf5aUsZ9sHibODvOx6Z3

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks