Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    nelomiasteczny.exe

  • Size

    33KB

  • Sample

    240827-2lmhjaxapj

  • MD5

    5c487f81af703722cda81d5f5510a027

  • SHA1

    aba146063b22ffed8d20a67f6475c732bb3dc0d3

  • SHA256

    41f8ff096c9178a1f5a8a76f64574214a43f30af33571406903f3a9d0dbbea44

  • SHA512

    1b9e36000cac0a2b2deb9049ae04778c8b4b9d15b2e3c306542454393af0c461dc95cdc29fc78731343f3bd445bb146a43333135a5ec3f477a1272e11a58d397

  • SSDEEP

    384:9l+PkjD9+E5MFs7iui8L7zxM42pfL3iB7OxVqWYRApkFXBLTsOZwpGN2v99IkuiQ:3+CD93W03242JiB706VF49jChOjhsbF

Malware Config

Extracted

Family

xworm

Version

5.0

C2

lefferek-42016.portmap.host:42016

Mutex

bNP6qMPM6Cdrrc5E

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      nelomiasteczny.exe

    • Size

      33KB

    • MD5

      5c487f81af703722cda81d5f5510a027

    • SHA1

      aba146063b22ffed8d20a67f6475c732bb3dc0d3

    • SHA256

      41f8ff096c9178a1f5a8a76f64574214a43f30af33571406903f3a9d0dbbea44

    • SHA512

      1b9e36000cac0a2b2deb9049ae04778c8b4b9d15b2e3c306542454393af0c461dc95cdc29fc78731343f3bd445bb146a43333135a5ec3f477a1272e11a58d397

    • SSDEEP

      384:9l+PkjD9+E5MFs7iui8L7zxM42pfL3iB7OxVqWYRApkFXBLTsOZwpGN2v99IkuiQ:3+CD93W03242JiB706VF49jChOjhsbF

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Enterprise v15

Tasks