Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Acrepi 3.6.zip

  • Size

    1.1MB

  • Sample

    230424-23akasfb43

  • MD5

    ebc164d5ba9b55f9b07f1a04e3b49c79

  • SHA1

    0fa7a01ecf3171eb4992c3ade3cf136a55084f97

  • SHA256

    82631fce8b8c5a06d952c9d0eec077cd0c14bb14fe0164a9b50a925bd46aae9b

  • SHA512

    25516be43ea316beeaa9af1326e34b6baf9f8e5ea379521ff63457a3ee6f455a093d04a219137e10eab37df347c54cc92a89689e00b5ff73e31088fc185e5936

  • SSDEEP

    24576:7u2JhY0Jayh7sOxjEDpfiBwVz6rUhVI/0bmFPEpoVTbg3vbxl9wlMAo86WY3uC:i2/Y0X7scQpVe6VIM6FMp0I3vbx4lN6l

Malware Config

Targets

    • Target

      CLibrary.dll

    • Size

      18KB

    • MD5

      379358b4cd4b60137c0807f327531987

    • SHA1

      b0a5f6e3dcd0dbc94726f16ed55d2461d1737b59

    • SHA256

      0ff1d03926f5d9c01d02fae5c5e1f018a87d7f90a1826de47277530bfc7776f8

    • SHA512

      097c08135d654596a19ada814ad360a8c2374d989cbd7094c6acb092e9854abf1f1d878d3da72b66c4c75806586bee7fe04d555a1d82db170725bdbeadea7d50

    • SSDEEP

      384:rLyPunoshzdtnbuH0aXOk0GfZh5g+zCxU:rLy7s5dJuHHOqhyy

    Score
    1/10
    • Target

      injector.exe

    • Size

      1.7MB

    • MD5

      8cc41b512b7fdf051bff007c253e4043

    • SHA1

      0b63191f4f416c41be915a08e2e045e9ba1ce1a0

    • SHA256

      9dcfcb7b9dd25f740986fe03702928371903d279dbab6b5d8c7cb7a574f0caca

    • SHA512

      3d773346ba5e7a1782934121e66b47d1865c1b82a8260ad2195c28865fb80dbaa325d6483a28c99e7e510a3d0dd4f835742626acea44042e3155d41f71bd93e9

    • SSDEEP

      24576:P2G/nvxW3W+0ZddL1uN+9vYzK1pTVklXQ3JcGJdyuC6gFLMRUSIxNhoAJHIqL/hg:PbA3ebJ1uo8IcayuqSIdo0eL1

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks