Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    e9b82889b8e458dce4efa341d1c9fb3da7ad9246d37c16707bd31b3ec5509eb9

  • Size

    767KB

  • Sample

    221001-3g7hksbhf4

  • MD5

    5904871d8801f165e37c246bbf79f286

  • SHA1

    4a4233176739b9437032be597923b2241b8265d5

  • SHA256

    e9b82889b8e458dce4efa341d1c9fb3da7ad9246d37c16707bd31b3ec5509eb9

  • SHA512

    f8c0e1d89819011f56880b7af29090970f91592d46dfae085e0900a4f655635c9adcb467a8b60c95f3a81b80230e21c88e92e4f40f21a1360d43e390f778b24c

  • SSDEEP

    12288:EyJJsR1oT51musrmQqAXlhUQEUac8YT1fo9GVB7Ue9IgM1bI3U:i+51mL1Xce1w9GVB7UzbIE

Malware Config

Extracted

Family

xtremerat

C2

dfuso.zapto.org

Targets

    • Target

      e9b82889b8e458dce4efa341d1c9fb3da7ad9246d37c16707bd31b3ec5509eb9

    • Size

      767KB

    • MD5

      5904871d8801f165e37c246bbf79f286

    • SHA1

      4a4233176739b9437032be597923b2241b8265d5

    • SHA256

      e9b82889b8e458dce4efa341d1c9fb3da7ad9246d37c16707bd31b3ec5509eb9

    • SHA512

      f8c0e1d89819011f56880b7af29090970f91592d46dfae085e0900a4f655635c9adcb467a8b60c95f3a81b80230e21c88e92e4f40f21a1360d43e390f778b24c

    • SSDEEP

      12288:EyJJsR1oT51musrmQqAXlhUQEUac8YT1fo9GVB7Ue9IgM1bI3U:i+51mL1Xce1w9GVB7UzbIE

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Modifies Installed Components in the registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks