Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d
-
Size
225KB
-
Sample
221218-17n3tagg7s
-
MD5
6a59c469713da7bb9abc4b8f2e8ac6da
-
SHA1
e87a23b50b3f3a41c50d62e558153d3a3010a02b
-
SHA256
3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d
-
SHA512
16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65
-
SSDEEP
3072:Lz08R/4F+88pD4EkNimqFDF6D2lhPBhQuzpw1H4Oc/1dcK4sRPID6bM0mQt0:x4QRnkgZFDFNPouzpw1H4O9NDCP0
Behavioral task
behavioral1
Sample
3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d.exe
Resource
win10-20220812-en
Malware Config
Extracted
amadey
3.60
193.42.33.28/game0ver/index.php
Extracted
aurora
45.144.30.146:8081
Extracted
https://cdn.discordapp.com/attachments/1049569242455998544/1049862157858242560/string4633.err
Extracted
https://cdn.discordapp.com/attachments/1049569242455998544/1049862157594021948/string792.err
Extracted
redline
installs1
89.23.96.2:7253
-
auth_value
fb538922d8f77f00fb6c39f8066af176
Extracted
redline
installs
89.23.96.2:7253
-
auth_value
8d4428f372143572364f044ea9649d7f
Extracted
amadey
3.10
hellomr.observer/f8dfksdj3/index.php
researchersgokick.rocks/f8dfksdj3/index.php
pleasetake.pictures/f8dfksdj3/index.php
Targets
-
-
Target
3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d
-
Size
225KB
-
MD5
6a59c469713da7bb9abc4b8f2e8ac6da
-
SHA1
e87a23b50b3f3a41c50d62e558153d3a3010a02b
-
SHA256
3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d
-
SHA512
16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65
-
SSDEEP
3072:Lz08R/4F+88pD4EkNimqFDF6D2lhPBhQuzpw1H4Oc/1dcK4sRPID6bM0mQt0:x4QRnkgZFDFNPouzpw1H4O9NDCP0
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Amadey credential stealer module
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-