Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
http://gofile.io
-
Sample
250309-sgnqcstmx2
Malware Config
Extracted
xworm
-
Install_directory
%Temp%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/wXYjM7Vm
-
telegram
https://api.telegram.org/bot7377184900:AAHFDX1FxXhaVcxsJ6GOid3PcOAfkgsfjas/sendMessage?chat_id=6836733049
Targets
-
-
Target
http://gofile.io
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Blocklisted process makes network request
-
Download via BitsAdmin
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Executes dropped EXE
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4