Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Xworm Fixer.bat

  • Size

    442KB

  • Sample

    240907-tt4g1sseqn

  • MD5

    ccf46201786b2facd7b19ea6129944da

  • SHA1

    25e51f0e98977de48e111773058cc1b70ced0892

  • SHA256

    74cdc51bc00b8f596fb764469b16ec2edb336cf9f151697ff984a5081c3204d6

  • SHA512

    43a92ed1caf5a517e4e1506127b96b07c75458701e4d0b0556fc79694866fb27089ed919688c7ff68c7c2a87b51ef2e635d85bfa8a5aa860f132bfb1fbe13675

  • SSDEEP

    6144:7iCje5mpo5kEu3ojrKYMwoocilcJohGUMJb0YXZyDC3ntd0FqT/G+PYDKhJaltT7:Xi5mpJEu3mkR4LMxZye3ntqFKFPTjWZ

Malware Config

Extracted

Family

xworm

C2

manufacturer-rank.gl.at.ply.gg:60383

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      Xworm Fixer.bat

    • Size

      442KB

    • MD5

      ccf46201786b2facd7b19ea6129944da

    • SHA1

      25e51f0e98977de48e111773058cc1b70ced0892

    • SHA256

      74cdc51bc00b8f596fb764469b16ec2edb336cf9f151697ff984a5081c3204d6

    • SHA512

      43a92ed1caf5a517e4e1506127b96b07c75458701e4d0b0556fc79694866fb27089ed919688c7ff68c7c2a87b51ef2e635d85bfa8a5aa860f132bfb1fbe13675

    • SSDEEP

      6144:7iCje5mpo5kEu3ojrKYMwoocilcJohGUMJb0YXZyDC3ntd0FqT/G+PYDKhJaltT7:Xi5mpJEu3mkR4LMxZye3ntqFKFPTjWZ

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks