Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
eb4ebf5b9bbe84d8344a9d841b258b8b.zip
-
Size
475KB
-
Sample
230519-k1cs7sda29
-
MD5
5dfe5efe3841908f856707611a7a7bdc
-
SHA1
24c411e37ae9b2ce305ef0fe64f9fe4906bd7410
-
SHA256
cb550c56ca091b8c0d2a6634a114a66a5c15f2363881f37fbb14e715ac88134f
-
SHA512
5620ef57ade849a7d5d310988b2a793d5c8f357af03d455ab6cf2445cb6497fb6a1a0fae3a0537af15fe13304f5a01f04480e21f065db2ffb7d08abe35feed37
-
SSDEEP
12288:PPHnnwYE0vTK1IQaPjPgAxg0ZN6Y1NOETVa1wyVv9wXSSYOvyl:PfnMKBDr6e9VYBaXlxi
Static task
static1
Behavioral task
behavioral1
Sample
NARUD_BA.exe
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
NARUD_BA.exe
Resource
win7-20230220-en
Malware Config
Extracted
formbook
4.1
il07
lawofficeofchasearich.com
3332626f.xyz
wordpressbilimi.net
gdapp1.xyz
facebetter.online
koningmedia.africa
elitegaraje.com
lightingnews.ru
locationdarling.com
corrective.one
contamais.app
a2dzgm-bcx9.com
gyaanji.com
ibnuic.top
fsyiq3jp.com
dizirt.com
z3iucr5b35d.net
myfedloan.africa
dscovcorpoffice.info
ht80852.com
digitalsmg.com
94886.uk
bestteethwhiteningblog.com
betnunavut.com
bacteriophage.asia
empressmejewelry.net
carpetlayermarketer.com
etaxaud.com
weblo.net
hikinglife.online
calmgoddess.com
fadeincorporated.com
draluizasegregiogastro.com
keerthip.com
eltresio.info
totalmateria.net
deepbridgacapital.com
epplecreation.com
containsmilk.com
darksinz.live
seatherny.com
ojutole.africa
jimmodafferi.com
bipolardisorder-guide.site
ldjt.net
bevillasibiza.online
e-menu.software
inrecurope.com
idledtx.com
edortion.com
colorshockpainting.com
osbemlak.net
allowing-behest.click
kvbaw.online
falkirk-handyman.co.uk
liito-kala.ru
cincinkawincustom.com
bj-mailcorp.com
gdufvl.cfd
diabetescentertepic.com
biokustodija.com
getadvonow.com
gmatchsunglasses.com
vortexpostelecom.africa
messeinter.com
Targets
-
-
Target
NARUD_BA.EXE
-
Size
500KB
-
MD5
eb4ebf5b9bbe84d8344a9d841b258b8b
-
SHA1
73ac005d35a2a7d5a43e4aa6982461b3168f64e6
-
SHA256
0b318f0cfea0808152858214548a444572aa30e11ebaf4fb5b06af00033fea7e
-
SHA512
bd318dd411127aa503ecce23a1d53a497be089b3b74e1b31735cbf95b52ee4858ceb6f29c0a4101740334ddbbc586a57dcd055cc31f255a121c2d06bed381c44
-
SSDEEP
12288:lKl9TZYH5G8FfP9Rns6cDdrnEPpmTzLJOJt:s9TybFfP9Z5WRExCJKt
-
Formbook payload
-
Adds policy Run key to start application
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-