Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Smoke Load...er.exe

windows7-x64

3

Smoke Load...er.exe

windows10-2004-x64

10

SmokeBuild...an.exe

windows7-x64

3

SmokeBuild...an.exe

windows10-2004-x64

10

Something.exe

windows7-x64

10

Something.exe

windows10-2004-x64

10

XWorm V3.0.exe

windows7-x64

7

XWorm V3.0.exe

windows10-2004-x64

7

XWorm V6.0.exe

windows7-x64

1

XWorm V6.0.exe

windows10-2004-x64

10

XWorm.exe

windows7-x64

10

XWorm.exe

windows10-2004-x64

10

Xworm V5.6.exe

windows7-x64

10

Xworm V5.6.exe

windows10-2004-x64

10

comet v1.2.exe

windows7-x64

7

comet v1.2.exe

windows10-2004-x64

10

smokeloader.exe

windows7-x64

10

smokeloader.exe

windows10-2004-x64

10

startup.exe

windows7-x64

10

startup.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Desktop.rar

  • Size

    25.6MB

  • Sample

    250127-xl2j8s1qcx

  • MD5

    660f5938d3d67d963a72d54da9c2cb40

  • SHA1

    c34c7a5d6f5abada3563fa95d13f27130688a857

  • SHA256

    9a0c07d50e4a2b2ad412c850184a7e0d37bb30861587c8140b6f383633baf9f4

  • SHA512

    ee3b345adad7b28743e37f78b84c2914bddc1fa8fd11c99f5a8f3f71a83372c9b95f75a8008d7b405fa68c7391c506da490c00c48fb543c24402e6cbf8faa89a

  • SSDEEP

    786432:CD0ugg2KbU5S/oVzNtvjV32GxQiIQDFUaqK2Du8Q0k5:CD1g/Kb20ortZGkQiIQR4K2Du8QH5

Score
10/10
redlinesectopratsmokeloaderxwormstealersbackdoorbootkitdefense_evasiondiscoveryexecutioninfostealerpersistenceratspywaretrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

hardware-proceeds.gl.at.ply.gg:2217

Specter1-33484.portmap.host:33484

127.0.0.1:24107

soon-logical.gl.at.ply.gg:24107

why-familiar.gl.at.ply.gg:24107

defined-licenses.gl.at.ply.gg:24107

recent-keywords.gl.at.ply.gg:24107
Mutex

m2uiTWNHdk2RBCVs

Attributes
  • Install_directory

    %AppData%

  • install_file

    Marvel Rivals Mods.exe

aes.plain
aes.plain
aes.plain

Extracted

Family

xworm

C2

if-eventually.gl.at.ply.gg:17094

127.0.0.1:23684

up-mixed.gl.at.ply.gg:23684
Attributes
  • Install_directory

    %Temp%

  • install_file

    InjectMenu.exe

Extracted

Family

smokeloader

Version

2017

C2

http://dogewareservice.ru/

Extracted

Family

redline

Botnet

Stealers

C2

101.99.92.189:57725

Targets

    • Target

      Smoke Loader Stub Changer.exe

    • Size

      2.4MB

    • MD5

      7702528fa7fa7ba423e492c20cd4bec5

    • SHA1

      930d8e548e703ec4bedb154554a28b1cd1948ef5

    • SHA256

      8d08f1a5026c1d4f95fe8df86742c15f106335e4065c953dd92504c953a56b3d

    • SHA512

      facb2217cdbf3497a825a91cd16921474d9ef2a7c0ded549999a3aa08da31e38dde698f5124d667ca53a2a8dda01aa269a25c6b09b407de26c36a621c8fb2293

    • SSDEEP

      24576:wPxj4QxnIG12PHYiw34Jx+P/GCqX4hH9M69Xi5dLy9ZTtM:w

    Score
    10/10
    discoveryredlinesectopratstealersinfostealerratspywaretrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      SmokeBuilderbyKebabMan.exe

    • Size

      2.2MB

    • MD5

      15df99d7ed2f473c510c9a612258184d

    • SHA1

      f774e2316860627701cee5e2cf46021559338fc0

    • SHA256

      1a9af7da254ddb9d07dd7301624a6ba5cb5cd00c9fe8437fbd6ba73b19698b76

    • SHA512

      68d6256c72a6d5d94358d9e8e3d5db5d71feacb1609651c04a46682d98d3fa4dcaa976cf5887d8712fa1609cb30eefe64e056245d580f994a3f5fa716f9c8faf

    • SSDEEP

      24576:Pa88kabbdgkWgk+HsvmkFpJu3F8Uj2KLiMoZGZnRWyOIZBR6nrY:P

    Score
    10/10
    discoveryredlinesectopratstealersinfostealerratspywaretrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      Something.exe

    • Size

      38KB

    • MD5

      861d54dedccc2396e09e3f07c3624a93

    • SHA1

      2c6bd12d57008d08bfd3f1997e04f833c77a7f9d

    • SHA256

      f43b292f8fbe6622a22f4fe57654d102cfc180a465cb2952f884e9729e248564

    • SHA512

      0ee5aac3b2196bea3dc97ad5da763afecb46d6bbfba70ffe7006a23c7dc8a31c1b5392edf845802acc619be81356ca45d672abce9dca142a24682fbdb6afc279

    • SSDEEP

      768:VlZr4yCCTF+nM6tQ6NlEPTFA9Y4OMhEbV:VlZlCzq2lE7FA9Y4OMW5

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Drops startup file

    behavioral5behavioral6

    • Target

      XWorm V3.0.exe

    • Size

      7.1MB

    • MD5

      d0ee2181e8d2574bfe2ea6dadedd584d

    • SHA1

      0863c6fb57cd5d86411a8ca29f36ca30a0700925

    • SHA256

      89af2c4522118f49a64ee927088e250244ffbfd40d7130281fba7cd0f7f13b0d

    • SHA512

      f29183325ad2f656a097190bb1c22c21f6d1b5506733ed83a031ebb59342fa5ae646c17744d17282401275d88f853eabef1628e37b2c2d4b256d8d268998e8fb

    • SSDEEP

      196608:6aA2c2/RkLZvaU6ScXc4sqgCzlMNxKa+M9:6ad4vKSoiqgASNUP

    Score
    7/10

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    behavioral7behavioral8

    • Target

      XWorm V6.0.exe

    • Size

      290KB

    • MD5

      9c78c30d1c6936b3b25cd8bba4b593a3

    • SHA1

      71d6c72907f0c038cc51526d4fee00d80c6af8d4

    • SHA256

      666e3e7a8287b1fc975b5e46623e3a6e59f356101cd74f0138f750c61cb2c7ba

    • SHA512

      94f35cffb602962718b1c2c5eef8d865d3d4bb7c7aa6a6b6a19993113f9f71b2b412e1d4aa3e8a1c258078e55d430d4d8dc791c87aad30155067e4f318b76cc3

    • SSDEEP

      6144:M3J/lKaBuZxpbGn1PPT4WZuOusQY1H9X7iGZeSu+GRT:2KaIrRfOuRYtlySu

    Score
    10/10
    xwormbootkitdefense_evasionexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Sets service image path in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

      defense_evasion

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral10behavioral9

    • Target

      XWorm.exe

    • Size

      3.9MB

    • MD5

      b64d3341b5b02b43e323dad18418f860

    • SHA1

      311f3b7c00377c31b863931fa9098a1289fa002e

    • SHA256

      89ece9b3aa654f19e7a5fac4289b78d04a3ec78898f518e7b466ef9eced08f53

    • SHA512

      c5bdd1ba4d368fc712c7931c94aac73b2b8bc9a0d60d1186dd5fe91ca4990f755c972a09d14d2d0a4c3abac55f35e3f28a4caec2d1b816f9e4edfa4cec95fef2

    • SSDEEP

      49152:uLazVYgVbLhDEAT+NPRRb+pmmkw4kcLzfxGMNICF53YxZ5K4WacdWb59f:uL0VPh1wHmkwaLbkMv2bvWa39f

    Score
    10/10
    xwormdiscoveryrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm
    behavioral11behavioral12

    • Target

      Xworm V5.6.exe

    • Size

      223KB

    • MD5

      be4f6b22d29024eb8d24a1ae5c5d2b67

    • SHA1

      186492cfd78ccccf458fd74cc73c32c080ec540a

    • SHA256

      701d0559203227d8d8ffb1794a4212475ba4e998bac6d03cb1df09bb5142fad7

    • SHA512

      644782024b36785aec3d7aa8ca4f4673a7be83ab01330c9ad271b91d3f78ff00ee287af1868e7c524d663bfbb9703d89abae0c239d5d9937c8ef64eba87bd851

    • SSDEEP

      3072:dRtqermyVDt6Jb+950vH9xScIObwOJ1wA2ewhLapuvpAsZOyMqmyBeYVYB:dRJrTVZ6JbEw6ME/GWGwqqm1

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral13behavioral14

    • Target

      comet v1.2.exe

    • Size

      3.9MB

    • MD5

      ecd5343a10891007c8dbc12e8329b07b

    • SHA1

      25198164f8a4ab73f6a9e120cf0c62ef6f928c3f

    • SHA256

      380f48e86d979a2a767675eb1946d632c338eb29d01e94589ec5cb0e755598fc

    • SHA512

      3983ef09124098e5935657dab36e065a2493125aa06657d7a78381cbd54011870d180a2740c07824c591d4c2a3fba56ac65ee099aaf885f4653db6d9c86dc34d

    • SSDEEP

      98304:4tQtcctenqRPbmF8hWTe0RortUw1lWp+etChvIz2T9o:6ytiMbxY7RsT1lWp+8Gvcc9

    Score
    10/10
    xwormbootkitdefense_evasionexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Sets service image path in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

      defense_evasion

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral15behavioral16

    • Target

      smokeloader.exe

    • Size

      13KB

    • MD5

      75f6bb5d297c4ffbdff65cc5bbbdfb37

    • SHA1

      0aa7c2e75f63c685d8d085fbafca3a91d297b683

    • SHA256

      5eb4e7d954ad12e89c9c500f9894b76d08b7e53eb0f3f0b0e681d3bf11c4db51

    • SHA512

      fdb38133304714e3e553b02df7a7bb62b9127c9c832390ffb1553f3523cdffd00611b29a4916f00bd6b79209fef5b0ca4e4c28192e5522880bbde231c00ca7df

    • SSDEEP

      192:vBAlEMZWAY5nCtCY61l40CMvPSohzWLz5xWfgOQ/muu/d5THm4OtgO:JAnLAXNy/m3/bTKgO

    Score
    10/10
    smokeloaderbackdoordiscoverytrojan

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Smokeloader family

      smokeloader

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral17behavioral18

    • Target

      startup.exe

    • Size

      15.1MB

    • MD5

      de5a0b40167ca3b91bfc9abe2f836a5d

    • SHA1

      b69eeda00e222cb94ca97a77358cae3097f689ac

    • SHA256

      ce6b0524f235e48e04b0a86c7c6e6e609bf28c3cf1eb6b44374b3ae7e4200916

    • SHA512

      1f201f3e60b2fa504c46f6f3007d9d977c54c18d158e495ff998c1b3cf7bbee931dfcda285286386ad6ed92b8b256d49ecbbc7aaf2f5621db40760985d04b26f

    • SSDEEP

      196608:2HYWhktZpO50kDidzHNNqRjvDHqa7awfBMQaGzaI17RPYHtTLJBVHRbWPcQmZ5tB:24P7pO5gN0jLqqBWG2U7Ry3VBJZZ

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral19behavioral20

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Indicator Removal

1
T1070

Clear Windows Event Logs

1
T1070.001

Modify Registry

2
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

3
T1120

Query Registry

8
T1012

System Information Discovery

8
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks

static1

xworm
Score
10/10

behavioral1

discovery
Score
3/10

behavioral2

redlinesectopratstealersdiscoveryinfostealerratspywaretrojan
Score
10/10

behavioral3

discovery
Score
3/10

behavioral4

redlinesectopratstealersdiscoveryinfostealerratspywaretrojan
Score
10/10

behavioral5

xwormrattrojan
Score
10/10

behavioral6

xwormrattrojan
Score
10/10

behavioral7

Score
7/10

behavioral8

Score
7/10

behavioral9

Score
1/10

behavioral10

xwormbootkitdefense_evasionexecutionpersistencerattrojan
Score
10/10

behavioral11

xwormdiscoveryrattrojan
Score
10/10

behavioral12

xwormdiscoveryrattrojan
Score
10/10

behavioral13

xwormpersistencerattrojan
Score
10/10

behavioral14

xwormpersistencerattrojan
Score
10/10

behavioral15

Score
7/10

behavioral16

xwormbootkitdefense_evasionexecutionpersistencerattrojan
Score
10/10

behavioral17

smokeloaderbackdoordiscoverytrojan
Score
10/10

behavioral18

smokeloaderbackdoordiscoverytrojan
Score
10/10

behavioral19

xwormexecutionpersistencerattrojan
Score
10/10

behavioral20

xwormexecutionpersistencerattrojan
Score
10/10