Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
XClient.exe
-
Size
64KB
-
Sample
250309-mj3z6szxat
-
MD5
1ff6154dbcb71d60e924548345b984da
-
SHA1
075b5dbfbe99a2bc6e01db6c831a06878ff5cfbe
-
SHA256
a973208f7dff8f3ef5777da04f73415801f2f2ded3ea44077ca9a695a7965d66
-
SHA512
7bee117cdec90e0a1a7efa62679423d70b585e8d5de6f54a44241e4a44bca789d2c3eeebe85112bf88688e40abd3511308d0c2c6d3c42f69575e156d569ef2e3
-
SSDEEP
1536:LdUF8CEWGeTI9jApgc+bMuWGZnJ8p6uovO9bkMx:9WHI9Epgc+bMubJ8QvO9bHx
Malware Config
Extracted
xworm
adrianmoritoru-34347.portmap.io:7000
192.168.150.131:7000
-
Install_directory
%Userprofile%
-
install_file
injector.exe
Targets
-
-
Target
XClient.exe
-
Size
64KB
-
MD5
1ff6154dbcb71d60e924548345b984da
-
SHA1
075b5dbfbe99a2bc6e01db6c831a06878ff5cfbe
-
SHA256
a973208f7dff8f3ef5777da04f73415801f2f2ded3ea44077ca9a695a7965d66
-
SHA512
7bee117cdec90e0a1a7efa62679423d70b585e8d5de6f54a44241e4a44bca789d2c3eeebe85112bf88688e40abd3511308d0c2c6d3c42f69575e156d569ef2e3
-
SSDEEP
1536:LdUF8CEWGeTI9jApgc+bMuWGZnJ8p6uovO9bkMx:9WHI9Epgc+bMubJ8QvO9bHx
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1