Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

001.exe

windows7_x64

10

001.exe

windows10-2004_x64

10

1488.exe

windows7_x64

10

1488.exe

windows10-2004_x64

1

1_cr.exe

windows7_x64

5

1_cr.exe

windows10-2004_x64

4

1cr.exe

windows7_x64

10

1cr.exe

windows10-2004_x64

4

1fc2d.exe

windows7_x64

10

1fc2d.exe

windows10-2004_x64

10

6e7_2021-0...04.exe

windows7_x64

10

6e7_2021-0...04.exe

windows10-2004_x64

10

Abjects.exe

windows7_x64

1

Abjects.exe

windows10-2004_x64

4

BattleText.exe

windows7_x64

10

BattleText.exe

windows10-2004_x64

1

HANS.exe

windows7_x64

3

HANS.exe

windows10-2004_x64

1

Hulu.exe

windows7_x64

8

Hulu.exe

windows10-2004_x64

8

IntelFIVE.exe

windows7_x64

3

IntelFIVE.exe

windows10-2004_x64

7

IntelFOUR.exe

windows7_x64

3

IntelFOUR.exe

windows10-2004_x64

7

IntelONE.exe

windows7_x64

3

IntelONE.exe

windows10-2004_x64

7

IntelTHREE.exe

windows7_x64

3

IntelTHREE.exe

windows10-2004_x64

7

IntelTWO.exe

windows7_x64

3

IntelTWO.exe

windows10-2004_x64

7

Lucky_Fixed.exe

windows7_x64

3

Lucky_Fixed.exe

windows10-2004_x64

10

Resubmissions

07/02/2022, 00:34 UTC

220207-aw81qsdce2 10

Analysis

  • max time kernel
    147s
  • max time network
    185s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    07/02/2022, 00:34 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BattleText.exe

  • Size

    79KB

  • MD5

    ac98d5e7f59a9feb167f01c6749baccb

  • SHA1

    80be262b88d22230ebd7a44e03ddd810092fdfb5

  • SHA256

    c7e4b8b9ded5df50dc1b2b8e6af95cb6cfb310c20be19c879c48a83371b345da

  • SHA512

    6ff2a6713691b097ccd678f6275624ed88561aa4458a3d5e2b9bfece60d4cfccdf0c4a88aba0728569126648c1a93972c45807ae077c60203f1eee63f5bca368

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

shortcut2021.duckdns.org:6001

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain
1
Sy0rKC9NQlriySOjFheg8sdc3MHob2er

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 4 IoCs
    rat
  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BattleText.exe
    "C:\Users\Admin\AppData\Local\Temp\BattleText.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Users\Admin\AppData\Local\Temp\BattleText.exe
      "C:\Users\Admin\AppData\Local\Temp\BattleText.exe"
      2⤵
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      PID:1240

Network

  • flag-us
    DNS
    raw.githubusercontent.com
    BattleText.exe
    Remote address:
    8.8.8.8:53
    Request
    raw.githubusercontent.com
    IN A
    Response
    raw.githubusercontent.com
    IN A
    185.199.108.133
    raw.githubusercontent.com
    IN A
    185.199.109.133
    raw.githubusercontent.com
    IN A
    185.199.110.133
    raw.githubusercontent.com
    IN A
    185.199.111.133
  • flag-us
    GET
    https://raw.githubusercontent.com/Rako-Team/websocket/main/WebSockets/Properties/xad1
    BattleText.exe
    Remote address:
    185.199.108.133:443
    Request
    GET /Rako-Team/websocket/main/WebSockets/Properties/xad1 HTTP/1.1
    Host: raw.githubusercontent.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Connection: keep-alive
    Content-Length: 135168
    Cache-Control: max-age=300
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Content-Type: application/octet-stream
    ETag: "392e4071ba1e2708bcc0a1baf5d0c16634e5171c881efe4d9a20415ed6ccd6fa"
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    X-GitHub-Request-Id: F1B2:E9A6:2B12A92:2CA3408:62006A71
    Accept-Ranges: bytes
    Date: Mon, 07 Feb 2022 00:40:17 GMT
    Via: 1.1 varnish
    X-Served-By: cache-ams21057-AMS
    X-Cache: MISS
    X-Cache-Hits: 0
    X-Timer: S1644194417.057716,VS0,VE185
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    X-Fastly-Request-ID: 82d6594b115893f8753957445ba5373764743679
    Expires: Mon, 07 Feb 2022 00:45:17 GMT
    Source-Age: 0
  • flag-us
    DNS
    shortcut2021.duckdns.org
    BattleText.exe
    Remote address:
    8.8.8.8:53
    Request
    shortcut2021.duckdns.org
    IN A
    Response
    shortcut2021.duckdns.org
    IN A
    54.36.108.131
  • 185.199.108.133:443
    https://raw.githubusercontent.com/Rako-Team/websocket/main/WebSockets/Properties/xad1
    tls, http
    BattleText.exe
    3.1kB
     147.2kB
     57
    106

    HTTP Request

    GET https://raw.githubusercontent.com/Rako-Team/websocket/main/WebSockets/Properties/xad1

    HTTP Response

    200
  • 54.36.108.131:6001
    shortcut2021.duckdns.org
    tls
    BattleText.exe
    1.5kB
     3.1kB
     16
    14
  • 8.8.8.8:53
    raw.githubusercontent.com
    dns
    BattleText.exe
    71 B
     135 B
     1
    1

    DNS Request

    raw.githubusercontent.com

    DNS Response

    185.199.108.133
    185.199.109.133
    185.199.110.133
    185.199.111.133

  • 8.8.8.8:53
    shortcut2021.duckdns.org
    dns
    BattleText.exe
    70 B
     86 B
     1
    1

    DNS Request

    shortcut2021.duckdns.org

    DNS Response

    54.36.108.131

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1240-64-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1240-63-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1240-62-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1240-61-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1240-60-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1240-65-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1240-67-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-57-0x0000000000480000-0x00000000004C6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2040-58-0x0000000000C00000-0x0000000000C28000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2040-59-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-55-0x0000000000E90000-0x0000000000EAA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2040-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

    Filesize

    8KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.