Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
e22f93f07544b0f475c263e30eb420c1aa3823264df3a6715aa6e33cfdf5dbb0
-
Size
1.2MB
-
Sample
221020-1xcl2agdan
-
MD5
0e86fb2120544989ae54edc86983bfed
-
SHA1
d2e5f4353494e2d99a9287e2f5d0e66d22955a92
-
SHA256
e22f93f07544b0f475c263e30eb420c1aa3823264df3a6715aa6e33cfdf5dbb0
-
SHA512
8820b787e70af246255e68b9f8c8549a38d4fe6bf4e8586bdafbdc1fd970f94a1c6de3250babf97f2e3a6e206505538f1f3fbd27a21770b1e9f583afb92ff763
-
SSDEEP
24576:U4lavt0LkLL9IMixoEgea7xd6f/QDBFEjzFgzvDywupi25:jkwkn9IMHea7xmO78zuzA1
Static task
static1
Behavioral task
behavioral1
Sample
e22f93f07544b0f475c263e30eb420c1aa3823264df3a6715aa6e33cfdf5dbb0.exe
Resource
win7-20220901-en
Malware Config
Extracted
cybergate
v1.02.1
Lammer
ipsx.no-ip.org:81
ipsx.no-ip.org:7000
ipsx.no-ip.org:2000
Pluguin
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Microsoft
-
install_file
Pluguin.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.
-
message_box_title
LAMMER
-
password
qwerty
-
regkey_hkcu
Avirnt
-
regkey_hklm
Avgnt
Targets
-
-
Target
e22f93f07544b0f475c263e30eb420c1aa3823264df3a6715aa6e33cfdf5dbb0
-
Size
1.2MB
-
MD5
0e86fb2120544989ae54edc86983bfed
-
SHA1
d2e5f4353494e2d99a9287e2f5d0e66d22955a92
-
SHA256
e22f93f07544b0f475c263e30eb420c1aa3823264df3a6715aa6e33cfdf5dbb0
-
SHA512
8820b787e70af246255e68b9f8c8549a38d4fe6bf4e8586bdafbdc1fd970f94a1c6de3250babf97f2e3a6e206505538f1f3fbd27a21770b1e9f583afb92ff763
-
SSDEEP
24576:U4lavt0LkLL9IMixoEgea7xd6f/QDBFEjzFgzvDywupi25:jkwkn9IMHea7xmO78zuzA1
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-