Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    xwormport.exe

  • Size

    80KB

  • Sample

    241009-t9w3watdjg

  • MD5

    8b6c64186bf08072e4204ec3bde4147c

  • SHA1

    8381d71213c367c4dab4fbf9b33e081e339ad215

  • SHA256

    8950ce8d0d34da93e1540029b4ff17f127b8619dea6f0e5c90a0d9a78368f52a

  • SHA512

    fbc3b75b348f5345f1534f6e740fd696b85c4f2a4f88a616af52fd6d7ccb7b13b0427c0d5e0e7626d0561cba534c5792f54e00f24cc1fd97f7f3ce9ec11e1404

  • SSDEEP

    1536:+VNL/GiQfNlMYojPrZeHdD+8VKjuM4UKbdqmkmuH5f6Yf/JTOjaeKLz4:MNiiOPMXjPrZoD7Kju9UKbdSZRfxTOjx

Score
10/10

Malware Config

Extracted

Family

xworm

C2

MadeInMood1-40937.portmap.host:40937

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • telegram

    https://api.telegram.org/bot7375237961:AAFlPWXmEriRUUWDWeG1DeZifKaAFaWD10Q/sendMessage?chat_id=7534517325

Targets

    • Target

      xwormport.exe

    • Size

      80KB

    • MD5

      8b6c64186bf08072e4204ec3bde4147c

    • SHA1

      8381d71213c367c4dab4fbf9b33e081e339ad215

    • SHA256

      8950ce8d0d34da93e1540029b4ff17f127b8619dea6f0e5c90a0d9a78368f52a

    • SHA512

      fbc3b75b348f5345f1534f6e740fd696b85c4f2a4f88a616af52fd6d7ccb7b13b0427c0d5e0e7626d0561cba534c5792f54e00f24cc1fd97f7f3ce9ec11e1404

    • SSDEEP

      1536:+VNL/GiQfNlMYojPrZeHdD+8VKjuM4UKbdqmkmuH5f6Yf/JTOjaeKLz4:MNiiOPMXjPrZoD7Kju9UKbdSZRfxTOjx

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix

Tasks