Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    для дискорда подцветка.exe

  • Size

    74KB

  • Sample

    240806-f4pvqavckf

  • MD5

    1fff6319630c8840455856ccfc3fab6b

  • SHA1

    8d23d47c005cb8e59da31d6f5ceacdafda3a2ea3

  • SHA256

    f58fa175e86798fe2448f5505e6593f4970d584cb6a59c2e35ae3508053f99b5

  • SHA512

    32dcf2abef8f015bf9b8dbbbfdeddab47aef4ef062c6e812e83f6e363a701bc2296727f7971c7eebd4cce2023d14f092612ba6a4eaa8c40d0ad841e9d860943b

  • SSDEEP

    1536:ZRhuDQx5Y55vNUWmjS9HnxbZgQz6vOcb9XjIdhd:jwsq5v+WNFnxbZmOcbFjqd

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:8848

localhost:8848

domain-vote.gl.at.ply.gg:8848

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      для дискорда подцветка.exe

    • Size

      74KB

    • MD5

      1fff6319630c8840455856ccfc3fab6b

    • SHA1

      8d23d47c005cb8e59da31d6f5ceacdafda3a2ea3

    • SHA256

      f58fa175e86798fe2448f5505e6593f4970d584cb6a59c2e35ae3508053f99b5

    • SHA512

      32dcf2abef8f015bf9b8dbbbfdeddab47aef4ef062c6e812e83f6e363a701bc2296727f7971c7eebd4cce2023d14f092612ba6a4eaa8c40d0ad841e9d860943b

    • SSDEEP

      1536:ZRhuDQx5Y55vNUWmjS9HnxbZgQz6vOcb9XjIdhd:jwsq5v+WNFnxbZmOcbFjqd

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks