Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

Comprehens...mo.exe

windows7_x64

10

Comprehens...mo.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Comprehensive_Meta_Analysis_keygen_by_KeygenSumo.zip

  • Size

    6.0MB

  • Sample

    210613-wg42n2pskj

  • MD5

    bbeeab13ec3e2bd0fa1834ad5595b8ff

  • SHA1

    cbc4ca0bd6079aaddb274e9d808d1eddba9e4633

  • SHA256

    be4f041dd7d0b52077f7c92e2c5ecf7f35b29fe0b57f39026299e30e1da12a0e

  • SHA512

    b4038640198334c6f0a1cd6b6929f763a026258af5404109a3cc0033219ef60d123bac0c895fe38d961939a80f56f8fb49a9c2b1a192dfe653cf36aae6e0c1a6

Score
10/10
azorultplugxponyraccoonredlinexmrige0aa5b6d2491c503baf06d4cfeb218de1cd41474discoveryevasioninfostealerminerpersistenceratspywarestealertrojanvmprotect

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

raccoon

Botnet

e0aa5b6d2491c503baf06d4cfeb218de1cd41474

Attributes
  • url4cnc

    https://tttttt.me/hbackwoods1

rc4.plain
1
$Z2s`ten\@bE9vzR
rc4.plain
1
cd320581a4538f064a4996c8a8cec42b

Extracted

Family

pony

C2

http://www.oldhorse.info

Targets

    • Target

      Comprehensive_Meta_Analysis_keygen_by_KeygenSumo.exe

    • Size

      6.1MB

    • MD5

      c95e4a0b394708279480861e498f5e88

    • SHA1

      9930bae69d18cc4f1a4c59cd3d6b0de59b49dab3

    • SHA256

      64d37096515ff385f2a0a3c49ed8df8f7837f1e7d81de9f586d756fb4416117f

    • SHA512

      3c44424e3abba9e79ca2b5b141fd3cedf7c333a28a9066827184ec3c0b46f22ae697463e9d08427c2e847a79aaf0cc1b1d24c2336ad9ab3881b9e40ee1e96a8b

    Score
    10/10
    azorultplugxponyraccoonredlinexmrige0aa5b6d2491c503baf06d4cfeb218de1cd41474discoveryinfostealerminerpersistenceratspywarestealertrojanvmprotectevasion

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • PlugX

      PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

      trojanplugx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner Payload

      miner

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.