Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    NOTrat.exe

  • Size

    263KB

  • Sample

    240914-w8seeayfmp

  • MD5

    40bef15d7e355d96e8982f1c5f269db1

  • SHA1

    1f1718f81ef2aeb00ac062d772ac8eb818152fce

  • SHA256

    4a82cea3a78aa450b32194da67f92dd3f57773e12bf4a53ccfa2dcaf0a310d68

  • SHA512

    f5aac9923714732e6a5d38ee05467cf0ab159628ea7f6d1bd9831cfafd3dc679bd7169ec831edb731881e05e8a0b9e6668209447a69e547bf0f3dac8634654d7

  • SSDEEP

    6144:39AbtRuzzzzdhXV57nWo2RBvQ6VZpZPe:tgehXVdWz2YfU

Malware Config

Extracted

Family

xworm

C2

193.161.193.99:5500

127.0.0.1:5500:5500

127.0.0.1:5500

Attributes
  • Install_directory

    %AppData%

  • install_file

    ValorantTGB.exe

Targets

    • Target

      NOTrat.exe

    • Size

      263KB

    • MD5

      40bef15d7e355d96e8982f1c5f269db1

    • SHA1

      1f1718f81ef2aeb00ac062d772ac8eb818152fce

    • SHA256

      4a82cea3a78aa450b32194da67f92dd3f57773e12bf4a53ccfa2dcaf0a310d68

    • SHA512

      f5aac9923714732e6a5d38ee05467cf0ab159628ea7f6d1bd9831cfafd3dc679bd7169ec831edb731881e05e8a0b9e6668209447a69e547bf0f3dac8634654d7

    • SSDEEP

      6144:39AbtRuzzzzdhXV57nWo2RBvQ6VZpZPe:tgehXVdWz2YfU

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks