Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
f43eff1e512ad2f52f2249af234f1436e7e665174e7a36d5df6c40215c67ffc7
-
Size
1.1MB
-
Sample
221014-lp2hvshha8
-
MD5
626b8d03be6e13c113081a7d1a8f2673
-
SHA1
273ba5653a9781689be443f13e519d7f71e4ae6b
-
SHA256
f43eff1e512ad2f52f2249af234f1436e7e665174e7a36d5df6c40215c67ffc7
-
SHA512
4eec7c14ce599fca0d4c6d32c5794d795415a46bd82fe0dd20798d3da5059f3e99826e2fffe0fed59d034623ebe10482c6af9e0711a99db024f334cedbb7e2ea
-
SSDEEP
24576:r7gluJ0c7UjEKQ1uvH3Oy4IPBqKF58QG4x03PdhMdh:rquJ8TDeyfPBp8h7dhML
Static task
static1
Behavioral task
behavioral1
Sample
f43eff1e512ad2f52f2249af234f1436e7e665174e7a36d5df6c40215c67ffc7.exe
Resource
win7-20220812-en
Malware Config
Extracted
cybergate
2.5
NetSus
lokotokio.no-ip.org:8888
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Elplorer
-
install_file
lexplorer.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
loko
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Targets
-
-
Target
f43eff1e512ad2f52f2249af234f1436e7e665174e7a36d5df6c40215c67ffc7
-
Size
1.1MB
-
MD5
626b8d03be6e13c113081a7d1a8f2673
-
SHA1
273ba5653a9781689be443f13e519d7f71e4ae6b
-
SHA256
f43eff1e512ad2f52f2249af234f1436e7e665174e7a36d5df6c40215c67ffc7
-
SHA512
4eec7c14ce599fca0d4c6d32c5794d795415a46bd82fe0dd20798d3da5059f3e99826e2fffe0fed59d034623ebe10482c6af9e0711a99db024f334cedbb7e2ea
-
SSDEEP
24576:r7gluJ0c7UjEKQ1uvH3Oy4IPBqKF58QG4x03PdhMdh:rquJ8TDeyfPBp8h7dhML
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-