Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

CleanCloner.exe

windows7-x64

7

CleanCloner.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CleanCloner.zip

  • Size

    16.1MB

  • Sample

    250309-jcjfeaywex

  • MD5

    8f18d90c66b44072dbafdaa06dc405ba

  • SHA1

    4ab8111f05e2aa49e446d5bc84dd5dadf5f5815b

  • SHA256

    2bac335c9dfa46fdcea1bb93bcd34df36f66e8fe71c8842d11f4466db85a4573

  • SHA512

    f12b5b58c2a7f3f29e83f8f3754503c90d4851e35df498804702551a351d8e98dbc6197d61ff17e26115189c7b342eb9d215f50bee6d6034b9c9118944e1331a

  • SSDEEP

    393216:MgQPanOZXEFBLv2f5/o5N8/MjuTr8a3T0vV8T2JwF1EsdbbhyuVAVdmw4:aiWXgBLv2hAn8/X8a3ot8IY1pa6w4

Score
10/10
xwormexecutionpyinstallerrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

meowycatty.ddns.net:8843

Mutex

0E4VwJ2aWKHLu9kc

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      CleanCloner.exe

    • Size

      16.3MB

    • MD5

      e6ee0a54c4e9351983193e5944b66344

    • SHA1

      e182fce1c3e548d69a15d16edacfce95f1e33ae9

    • SHA256

      7beff8e3153ee395fec616046f0c39dff785a6b5a0762a8639756925c6aec5ab

    • SHA512

      4a8c99b1c00957771f64b01d73daebd5e0d61d5bd786d5141ef39e08bb40e35dfa2f525e970c98085d1ae0f5a66645f6e78ab02e75299ebef60a486fba8700b9

    • SSDEEP

      393216:vmer0QDwxpUTLfhJD1+TtIiFoY9Z8D8CclGm3rcrzTjtFCYhuLxkK:v9E7UTLJF1QtI3a8DZc0IraUSK

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks