Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    5e2867075ab2ebe3b5d8b1648edabbf490a04ffc7de8808af20ae7729bc78950N

  • Size

    2.6MB

  • Sample

    241106-z2bpvsxkey

  • MD5

    ea05c6995e79aae43764232ef54421f0

  • SHA1

    8b6c4ec447bac2dddda3cd217fb694167999f845

  • SHA256

    5e2867075ab2ebe3b5d8b1648edabbf490a04ffc7de8808af20ae7729bc78950

  • SHA512

    e8c93c4d0c019ad8240dafe38e178346f334a9274faec09affc344cbd89d88761ad38531a309ca50068e995b4619f8be65d1acf91ee1565262be33ebce8f9556

  • SSDEEP

    24576:Z5UPamUFkoXq5W3CQutB4a3R+Bolg0n1SIO/WmnlmSjviIGLnr5UekMl2:Z54amUuoXKOsB49l0nwI7mRGLdmMs

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

lJwpD1fBYJSaarUE

Attributes
  • Install_directory

    %Public%

  • install_file

    Windows Security Health Host.exe

  • pastebin_url

    https://pastebin.com/raw/nV1XKCv3

aes.plain

Targets

    • Target

      5e2867075ab2ebe3b5d8b1648edabbf490a04ffc7de8808af20ae7729bc78950N

    • Size

      2.6MB

    • MD5

      ea05c6995e79aae43764232ef54421f0

    • SHA1

      8b6c4ec447bac2dddda3cd217fb694167999f845

    • SHA256

      5e2867075ab2ebe3b5d8b1648edabbf490a04ffc7de8808af20ae7729bc78950

    • SHA512

      e8c93c4d0c019ad8240dafe38e178346f334a9274faec09affc344cbd89d88761ad38531a309ca50068e995b4619f8be65d1acf91ee1565262be33ebce8f9556

    • SSDEEP

      24576:Z5UPamUFkoXq5W3CQutB4a3R+Bolg0n1SIO/WmnlmSjviIGLnr5UekMl2:Z54amUuoXKOsB49l0nwI7mRGLdmMs

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks