Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Api-AutoUpdaterV2.exe

  • Size

    87KB

  • Sample

    241117-hhetqssrcy

  • MD5

    9f9e3e562c3ace91fd36c7d9b49c56a7

  • SHA1

    32317350629c0591b49726ad71ab49e12b208918

  • SHA256

    c2306587c0e582a16037717598479523ba07d1afb646ab4a4ab63173adaaa971

  • SHA512

    8a60f2a143475fed2837a670717c5e35bcb0c0602fd633cda4efdfdd95ae15c407077fca5b7e5ac1dd771acc994f7f3b3fdff589dc3f613bce6144cdc3c7df8d

  • SSDEEP

    1536:CLVnqRcrCwNlhr/CbCRSCpv1ZLFNxdlub5mUnaC9UWGIiEdrRFbw0I5oKV+Uq4Q3:CslcCbCRBnFNblub5mUavWGAfFbwVVTQ

Malware Config

Extracted

Family

xworm

C2

job-moore.gl.at.ply.gg:49404

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Helper.exe

Targets

    • Target

      Api-AutoUpdaterV2.exe

    • Size

      87KB

    • MD5

      9f9e3e562c3ace91fd36c7d9b49c56a7

    • SHA1

      32317350629c0591b49726ad71ab49e12b208918

    • SHA256

      c2306587c0e582a16037717598479523ba07d1afb646ab4a4ab63173adaaa971

    • SHA512

      8a60f2a143475fed2837a670717c5e35bcb0c0602fd633cda4efdfdd95ae15c407077fca5b7e5ac1dd771acc994f7f3b3fdff589dc3f613bce6144cdc3c7df8d

    • SSDEEP

      1536:CLVnqRcrCwNlhr/CbCRSCpv1ZLFNxdlub5mUnaC9UWGIiEdrRFbw0I5oKV+Uq4Q3:CslcCbCRBnFNblub5mUavWGAfFbwVVTQ

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.