Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
WiseCare365_Setup_pass1234.rar
-
Size
41.2MB
-
Sample
221025-r7slkadab8
-
MD5
4c46306042a27a39cf5165928b3f66ce
-
SHA1
fbde9581b74b59b4a4d8416e5810848b50b47ac5
-
SHA256
02b896d7b6d5c7b18f9f893b546e834e0ae5981d02227ae72a12b6906c0fcc0e
-
SHA512
6507172e7ca10e2b0dbf8024af1a2997270f7e6e5560a8b06c264fed696d977bd06927f8f8d6cb8fd5d9efe1f2e2a804bb7856e5af6d8911f8853a1984aecf72
-
SSDEEP
786432:ZTdz40hINYe3KLqfdoJEF+64S/oM+eUTH13DRC9:HEkB+yJ/hnHTV3DRq
Static task
static1
Behavioral task
behavioral1
Sample
WiseCare365_Setup.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
WiseCare365_Setup.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
http://31.42.177.171/hfile.bin
Extracted
systembc
89.22.225.242:4193
195.2.93.22:4193
Targets
-
-
Target
WiseCare365_Setup.exe
-
Size
41.2MB
-
MD5
a054cf67547476c2ab1b4d8e66bff7b3
-
SHA1
b1b29a1ce3b6ee3bbea3ef30c36d7bd0f0935699
-
SHA256
8baf828cdb482e769c87e58d47782100ebce01c9039a670b154d0f8eca958948
-
SHA512
f672dcc0e190b22664770c2ce151a384e5bc06bce98e9f71e8f4a7eb480c08e5c15f14cdbc8a141599c854a5bfd0edecad63795edf388a752259855fe90c135f
-
SSDEEP
786432:QsCKwcgE6McNv4noJS8nqOkx1Aiwn6QB3bwvNf1soEZLM/1A6LAVByFkWOOrHSPb:JChcgEFc/AnxlCboZ1dE18Zk0kWIb
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-