Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    49dbad7d49d0a55a65427008daa3502efbc778134b6f44067ecd6d96f0374d55

  • Size

    4.3MB

  • Sample

    230508-hj38qahc95

  • MD5

    e74d882ca11fd560a7dad0422a7c6071

  • SHA1

    116b33fb95fc1838fe043ecba53288d30caf711d

  • SHA256

    49dbad7d49d0a55a65427008daa3502efbc778134b6f44067ecd6d96f0374d55

  • SHA512

    9e3ac6efba64acddd5b4dd29985016bcfed4543959763b9dfc969ea7fcbac00ee9039f417f044a9f7fae398d3555d5a4c25880d60ca39a837552b741ded1b073

  • SSDEEP

    98304:V391/pVv0pCGreIDIb0RyttgDcNYAIfVrBRDYbYpbGeBvx:V39p0paIHyUgIfVrL8bAbGeB

Malware Config

Extracted

Family

amadey

Version

3.70

C2

77.73.134.27/n9kdjc3xSf/index.php

Targets

    • Target

      49dbad7d49d0a55a65427008daa3502efbc778134b6f44067ecd6d96f0374d55

    • Size

      4.3MB

    • MD5

      e74d882ca11fd560a7dad0422a7c6071

    • SHA1

      116b33fb95fc1838fe043ecba53288d30caf711d

    • SHA256

      49dbad7d49d0a55a65427008daa3502efbc778134b6f44067ecd6d96f0374d55

    • SHA512

      9e3ac6efba64acddd5b4dd29985016bcfed4543959763b9dfc969ea7fcbac00ee9039f417f044a9f7fae398d3555d5a4c25880d60ca39a837552b741ded1b073

    • SSDEEP

      98304:V391/pVv0pCGreIDIb0RyttgDcNYAIfVrBRDYbYpbGeBvx:V39p0paIHyUgIfVrL8bAbGeB

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies security service

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks