Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
5446bc8551fadc86113623548aceac8fd9cfa89ef86de503aee76f73d510fce1
-
Size
4.5MB
-
Sample
221028-tag5nsgecl
-
MD5
1f66aed45a0ac90e460ddf1ae08d9621
-
SHA1
2b86c1cb39664fd149cb33ed8fc33cffa6be57b5
-
SHA256
5446bc8551fadc86113623548aceac8fd9cfa89ef86de503aee76f73d510fce1
-
SHA512
2c4cfd25f13a3a1442d074d466ccb6857cdca83a4c3eecad8d20df62ec4389d51dde95140697b9899f3ca60afbd2da41011332c777378eec04b6966a119356d6
-
SSDEEP
98304:xD18QJgdk3cEQAZ1pDxmYgNP6fVFZ/I9dU2AiwCvLUBsKcUK:xR8Q4PYZ1pDx/uyfrBIo2AiNLUCKY
Static task
static1
Behavioral task
behavioral1
Sample
5446bc8551fadc86113623548aceac8fd9cfa89ef86de503aee76f73d510fce1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5446bc8551fadc86113623548aceac8fd9cfa89ef86de503aee76f73d510fce1.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
nullmixer
http://razino.xyz/
Extracted
vidar
39.4
706
https://sergeevih43.tumblr.com/
-
profile_id
706
Extracted
redline
DomAni
ergerr3.top:80
Extracted
redline
dzkey
193.106.191.19:47242
-
auth_value
52a449fd61ad73c3abc266d47c699ceb
Extracted
nymaim
45.139.105.171
85.31.46.167
Extracted
tofsee
svartalfheim.top
jotunheim.name
Extracted
redline
Andriii_ff
185.173.36.94:31511
-
auth_value
0318e100e6da39f286482d897715196b
Extracted
redline
6.4
103.89.90.61:34589
-
auth_value
a7a3522462b1f9687c4ead2995816370
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.89.201.21:7161
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Extracted
redline
1310
79.137.192.57:48771
-
auth_value
feb5f5c29913f32658637e553762a40e
Extracted
redline
new1028
denestyenol.xyz:81
exirdonanos.xyz:81
-
auth_value
66c880a01e6ecc352ab1447a048f2697
Extracted
vidar
55.3
937
https://t.me/slivetalks
https://c.im/@xinibin420
-
profile_id
937
Targets
-
-
Target
5446bc8551fadc86113623548aceac8fd9cfa89ef86de503aee76f73d510fce1
-
Size
4.5MB
-
MD5
1f66aed45a0ac90e460ddf1ae08d9621
-
SHA1
2b86c1cb39664fd149cb33ed8fc33cffa6be57b5
-
SHA256
5446bc8551fadc86113623548aceac8fd9cfa89ef86de503aee76f73d510fce1
-
SHA512
2c4cfd25f13a3a1442d074d466ccb6857cdca83a4c3eecad8d20df62ec4389d51dde95140697b9899f3ca60afbd2da41011332c777378eec04b6966a119356d6
-
SSDEEP
98304:xD18QJgdk3cEQAZ1pDxmYgNP6fVFZ/I9dU2AiwCvLUBsKcUK:xR8Q4PYZ1pDx/uyfrBIo2AiNLUCKY
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Fabookie payload
-
Detects Smokeloader packer
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Nirsoft
-
Vidar Stealer
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
2New Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Disabling Security Tools
1Install Root Certificate
1Modify Registry
4Scripting
1Web Service
1