Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
xwormCLIENT2.exe
-
Size
35KB
-
Sample
250310-lka54szqt4
-
MD5
61b3eaa95f47735656c53ae1b624a92e
-
SHA1
70cc99399966d05cf3e501f0b8a31f1cb0d93b21
-
SHA256
151410bb07ae5131d50cb4a8c64893fb4e0d4b7ce6bf66b9d7b209cf38b02463
-
SHA512
6ee3cf1c36d7b9783afd22b815b500fbffc461660e5c213dba90baa83e4f76676be92cf940cf58bd4a41f43082e0f7ac61b6517eefba71331390da39084ee79e
-
SSDEEP
768:5ABBjNATVnMPqAlz6Fg9NuXe6rO/hm/jF/xK:5ABB5aVnMnl2Fg9N76rO/8B/4
Malware Config
Extracted
xworm
5.0
sePI8GoURsCcKknD
-
Install_directory
%AppData%
-
install_file
realtimeaudio.exe
-
pastebin_url
https://pastebin.com/raw/ntHbDxVx
Targets
-
-
Target
xwormCLIENT2.exe
-
Size
35KB
-
MD5
61b3eaa95f47735656c53ae1b624a92e
-
SHA1
70cc99399966d05cf3e501f0b8a31f1cb0d93b21
-
SHA256
151410bb07ae5131d50cb4a8c64893fb4e0d4b7ce6bf66b9d7b209cf38b02463
-
SHA512
6ee3cf1c36d7b9783afd22b815b500fbffc461660e5c213dba90baa83e4f76676be92cf940cf58bd4a41f43082e0f7ac61b6517eefba71331390da39084ee79e
-
SSDEEP
768:5ABBjNATVnMPqAlz6Fg9NuXe6rO/hm/jF/xK:5ABB5aVnMnl2Fg9N76rO/8B/4
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1