Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    1.bat

  • Size

    225KB

  • Sample

    241025-y6y6aathpf

  • MD5

    da9fe0e76fa2d549f46353ee2fc8c901

  • SHA1

    d32b1f0579186b015d3b09a756a2f15a2718deb6

  • SHA256

    0667ea9ed7a36a77fbb6c8aa13e90623dab98d7322bc9eeb387f4f0f1869b471

  • SHA512

    a7ae49ab7575254dda964cb5bbacb2305407644c75f6ee2d9ff45ae6c8c9f5e3422f7c700b6e7246739b7e4d6fb2c3700ad7f63c7899551eb433f96fee608d33

  • SSDEEP

    3072:ktnnrWvhg8h5od3WYeILH70j07mLnlJ8VyzoX1KZEVyO4hA39/EgPFnDrQstXEUR:CnnghHkXeUy0Q7zoFKaVFOI/EEWstXDR

Malware Config

Extracted

Family

xworm

Version

5.0

C2

mew.servepics.com:25902

Mutex

lJYY1nbn3elqV1YL

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7276041743:AAHcuQBIgMQxThnw-SMW4PSn0GYAkSjroxA

aes.plain

Targets

    • Target

      1.bat

    • Size

      225KB

    • MD5

      da9fe0e76fa2d549f46353ee2fc8c901

    • SHA1

      d32b1f0579186b015d3b09a756a2f15a2718deb6

    • SHA256

      0667ea9ed7a36a77fbb6c8aa13e90623dab98d7322bc9eeb387f4f0f1869b471

    • SHA512

      a7ae49ab7575254dda964cb5bbacb2305407644c75f6ee2d9ff45ae6c8c9f5e3422f7c700b6e7246739b7e4d6fb2c3700ad7f63c7899551eb433f96fee608d33

    • SSDEEP

      3072:ktnnrWvhg8h5od3WYeILH70j07mLnlJ8VyzoX1KZEVyO4hA39/EgPFnDrQstXEUR:CnnghHkXeUy0Q7zoFKaVFOI/EEWstXDR

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Blocklisted process makes network request

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks