Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    e5f8cfe6e345649c62e0841baf930dc2f9274205e0eb7bd8d90c9099967fc7b9

  • Size

    68KB

  • Sample

    240806-3ley5athjn

  • MD5

    8fe37834502c9cad2a3f4bc4676e16c2

  • SHA1

    b094f4930779e4736faef853eeea262dc8708884

  • SHA256

    e5f8cfe6e345649c62e0841baf930dc2f9274205e0eb7bd8d90c9099967fc7b9

  • SHA512

    1c2ad55d9f75e4ddf3a3fd50f53b49b01e2d8a05333fca8c08444fda8a97d8f3245c1373703ab2eb3ec1267e41cb79dc0df66049c36ae255ab97cccbd690c449

  • SSDEEP

    1536:MATJ3GFPtJ+fEnKZy4bkd3Th64OP/KKoKiR:MATJ3GFfcHbkZOP/KKcR

Malware Config

Extracted

Family

xworm

C2

africa-panels.gl.at.ply.gg:36327

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7097357076:AAFNLSm-3pej5b-uWHuJ42vA2ifmYBH-Apk/sendMessage?chat_id=6237826260

Targets

    • Target

      e5f8cfe6e345649c62e0841baf930dc2f9274205e0eb7bd8d90c9099967fc7b9

    • Size

      68KB

    • MD5

      8fe37834502c9cad2a3f4bc4676e16c2

    • SHA1

      b094f4930779e4736faef853eeea262dc8708884

    • SHA256

      e5f8cfe6e345649c62e0841baf930dc2f9274205e0eb7bd8d90c9099967fc7b9

    • SHA512

      1c2ad55d9f75e4ddf3a3fd50f53b49b01e2d8a05333fca8c08444fda8a97d8f3245c1373703ab2eb3ec1267e41cb79dc0df66049c36ae255ab97cccbd690c449

    • SSDEEP

      1536:MATJ3GFPtJ+fEnKZy4bkd3Th64OP/KKoKiR:MATJ3GFfcHbkZOP/KKcR

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks