Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
tarksloader.hta
-
Size
944B
-
Sample
250326-s25vdaxxfy
-
MD5
cc3c0e6f75302fb6c2d9b5e7f487efe8
-
SHA1
aa94427fcc50b727fa22914292ea5c95755823d9
-
SHA256
354d082858bfc5e24133854ff14bb2e89bc16e1b010b9d3372c8370d3144cdb9
-
SHA512
24f7550776de67d94311840a68fd0f0d0041c9b2035b47899739ffbdb7c1c83281f8c3cfbf6884ad214b74f6bbb386565b4a1836e7bad1f88e661a940b8c304b
Malware Config
Extracted
xworm
5.0
142.147.96.74:7000
buinhatduy01.ddns.net:7000
buinhatduy.duckdns.org:7000
O9hqaPBmS3qVW6ON
-
Install_directory
%AppData%
-
install_file
AggregatorHost.exe
Targets
-
-
Target
tarksloader.hta
-
Size
944B
-
MD5
cc3c0e6f75302fb6c2d9b5e7f487efe8
-
SHA1
aa94427fcc50b727fa22914292ea5c95755823d9
-
SHA256
354d082858bfc5e24133854ff14bb2e89bc16e1b010b9d3372c8370d3144cdb9
-
SHA512
24f7550776de67d94311840a68fd0f0d0041c9b2035b47899739ffbdb7c1c83281f8c3cfbf6884ad214b74f6bbb386565b4a1836e7bad1f88e661a940b8c304b
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Download via BitsAdmin
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
BITS Jobs
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1