Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe

  • Size

    9.6MB

  • Sample

    241003-b4jw9a1hlh

  • MD5

    dbbc877901e2a5a8c73c77b28a699960

  • SHA1

    c4ac39e195c4c76110958801ef482ac5d1af8941

  • SHA256

    81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4

  • SHA512

    9fa8359322eaec930786ea003540cf1bbcb7bf11205a5c5b9ef8d55a8cc8ad2c2c6289a010aa8f172443e3895b6c81b290d9145c7557335b8f7c180638bb08da

  • SSDEEP

    196608:K7kTvcGFwgJHb9fi4OEcGyYf/be2MAtMJjTPFrh+IRHi6b:K7O0GS079fHckf/a1AyJXX5iE

Malware Config

Extracted

Family

xworm

C2

178.215.236.225:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    TaskSchedular.exe

Targets

    • Target

      81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe

    • Size

      9.6MB

    • MD5

      dbbc877901e2a5a8c73c77b28a699960

    • SHA1

      c4ac39e195c4c76110958801ef482ac5d1af8941

    • SHA256

      81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4

    • SHA512

      9fa8359322eaec930786ea003540cf1bbcb7bf11205a5c5b9ef8d55a8cc8ad2c2c6289a010aa8f172443e3895b6c81b290d9145c7557335b8f7c180638bb08da

    • SSDEEP

      196608:K7kTvcGFwgJHb9fi4OEcGyYf/be2MAtMJjTPFrh+IRHi6b:K7O0GS079fHckf/a1AyJXX5iE

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks