Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
loader1.exe
-
Size
5.0MB
-
Sample
250301-nxkles1jz8
-
MD5
70d285d40e06d6b57e9a82e96d17df18
-
SHA1
261f7f15d1fb16d2493e784d88a98caa3357c286
-
SHA256
56fa8c7c13912a3ca29df19e784d26482ba8a73c444962455ed75162222826af
-
SHA512
f2dbf618190dfa5f632c840b3a78bc8f6e61ea01473bea799698f11bcae7a8c90d4b6ee7629e031a9b42b7a024b513e058e8905affc1b69c4c176e747acecbb6
-
SSDEEP
768:rRrA2/ZIPfLbN5VAuP4GSjTYWeLBdhJ6Ws25l1Ul3nEc/sZc795+hT:VM2/GPfLLKHGSg/B3s250l3Ecf95q
Malware Config
Extracted
xworm
cool-autos.gl.at.ply.gg:23445
-
Install_directory
%Temp%
-
install_file
svhost.exe
Targets
-
-
Target
loader1.exe
-
Size
5.0MB
-
MD5
70d285d40e06d6b57e9a82e96d17df18
-
SHA1
261f7f15d1fb16d2493e784d88a98caa3357c286
-
SHA256
56fa8c7c13912a3ca29df19e784d26482ba8a73c444962455ed75162222826af
-
SHA512
f2dbf618190dfa5f632c840b3a78bc8f6e61ea01473bea799698f11bcae7a8c90d4b6ee7629e031a9b42b7a024b513e058e8905affc1b69c4c176e747acecbb6
-
SSDEEP
768:rRrA2/ZIPfLbN5VAuP4GSjTYWeLBdhJ6Ws25l1Ul3nEc/sZc795+hT:VM2/GPfLLKHGSg/B3s250l3Ecf95q
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-