Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    WiseCare365_Setup_pass1234.rar

  • Size

    41.2MB

  • Sample

    221025-r7slkadab8

  • MD5

    4c46306042a27a39cf5165928b3f66ce

  • SHA1

    fbde9581b74b59b4a4d8416e5810848b50b47ac5

  • SHA256

    02b896d7b6d5c7b18f9f893b546e834e0ae5981d02227ae72a12b6906c0fcc0e

  • SHA512

    6507172e7ca10e2b0dbf8024af1a2997270f7e6e5560a8b06c264fed696d977bd06927f8f8d6cb8fd5d9efe1f2e2a804bb7856e5af6d8911f8853a1984aecf72

  • SSDEEP

    786432:ZTdz40hINYe3KLqfdoJEF+64S/oM+eUTH13DRC9:HEkB+yJ/hnHTV3DRq

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://31.42.177.171/hfile.bin

Extracted

Family

systembc

C2

89.22.225.242:4193

195.2.93.22:4193

Targets

    • Target

      WiseCare365_Setup.exe

    • Size

      41.2MB

    • MD5

      a054cf67547476c2ab1b4d8e66bff7b3

    • SHA1

      b1b29a1ce3b6ee3bbea3ef30c36d7bd0f0935699

    • SHA256

      8baf828cdb482e769c87e58d47782100ebce01c9039a670b154d0f8eca958948

    • SHA512

      f672dcc0e190b22664770c2ce151a384e5bc06bce98e9f71e8f4a7eb480c08e5c15f14cdbc8a141599c854a5bfd0edecad63795edf388a752259855fe90c135f

    • SSDEEP

      786432:QsCKwcgE6McNv4noJS8nqOkx1Aiwn6QB3bwvNf1soEZLM/1A6LAVByFkWOOrHSPb:JChcgEFc/AnxlCboZ1dE18Zk0kWIb

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks