Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
CosmeticLoader.bat
-
Size
462KB
-
Sample
240912-j1r3fsyglq
-
MD5
d44126df70e3dbdff887215a95e6f3ce
-
SHA1
6d729305d24b9ede2bef06b7885c4348e1899287
-
SHA256
5a1bc7923a04c38975120facb005961068ea9b81cdcbecf7595c9cbcb73dda68
-
SHA512
cd63b04365d8edf905ce2cea4a3c205761d65c0feef67b8840bbc87078d8739ecf735449e8cffdcae48e5f45895f62860dff6acee1da7e8701ded067f0527daf
-
SSDEEP
12288:+vhOfI50mwS2DU3R2ytr9vOH7OCGrGa4c:+vj97IAm7orkc
Malware Config
Extracted
xworm
127.0.0.1:7000
80.76.49.176:7000
-
Install_directory
%AppData%
-
install_file
XClient.exe
Extracted
gozi
Targets
-
-
Target
CosmeticLoader.bat
-
Size
462KB
-
MD5
d44126df70e3dbdff887215a95e6f3ce
-
SHA1
6d729305d24b9ede2bef06b7885c4348e1899287
-
SHA256
5a1bc7923a04c38975120facb005961068ea9b81cdcbecf7595c9cbcb73dda68
-
SHA512
cd63b04365d8edf905ce2cea4a3c205761d65c0feef67b8840bbc87078d8739ecf735449e8cffdcae48e5f45895f62860dff6acee1da7e8701ded067f0527daf
-
SSDEEP
12288:+vhOfI50mwS2DU3R2ytr9vOH7OCGrGa4c:+vj97IAm7orkc
Score10/10-
Detect Xworm Payload
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops file in System32 directory
-