Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    XWorm-5.6.rar

  • Size

    21.5MB

  • Sample

    250131-xn3v3stqb1

  • MD5

    4f57637d0aa8ed0d3055802c3a90a58d

  • SHA1

    c8b298c0edea336ee4710a3c1da5cc7bce7467cf

  • SHA256

    987af5ed785a0c412b8c4f829df902e82e62e21917aa7abdcc0d825b4a463c67

  • SHA512

    5d7fae098076531f1af3447d03cfc1909cdc00cd3757132bee7d8ccb1b84d1e57d1c11066afa70c2d102fbcc5233a7e43c2ff017dc67a2cf7591a923032d54f7

  • SSDEEP

    393216:D+N2F6y80fxdY24Xhf7QUECurlXcphU4SwUKidjxOfvP5AXyaLe39neZ:D+Nj6x+TlEUEhIXSwUbdF6pEyJ3UZ

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

zWBJQzaMFzSXPOWb

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

xworm

C2

127.0.0.1:7000

Attributes
  • install_file

    USB.exe

Targets

    • Target

      XWorm-5.6.rar

    • Size

      21.5MB

    • MD5

      4f57637d0aa8ed0d3055802c3a90a58d

    • SHA1

      c8b298c0edea336ee4710a3c1da5cc7bce7467cf

    • SHA256

      987af5ed785a0c412b8c4f829df902e82e62e21917aa7abdcc0d825b4a463c67

    • SHA512

      5d7fae098076531f1af3447d03cfc1909cdc00cd3757132bee7d8ccb1b84d1e57d1c11066afa70c2d102fbcc5233a7e43c2ff017dc67a2cf7591a923032d54f7

    • SSDEEP

      393216:D+N2F6y80fxdY24Xhf7QUECurlXcphU4SwUKidjxOfvP5AXyaLe39neZ:D+Nj6x+TlEUEhIXSwUbdF6pEyJ3UZ

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Uses the VBS compiler for execution

MITRE ATT&CK Enterprise v15

Tasks