Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

07/07/2023, 09:59

230707-lz275sgc54 10

General

  • Target

    14052163e50c197697c64b1431b42271.exe

  • Size

    17.6MB

  • Sample

    230707-lz275sgc54

  • MD5

    14052163e50c197697c64b1431b42271

  • SHA1

    df301332faa73c3d5f915fde61df2fc9de21a61a

  • SHA256

    4e0ddcd303f27c01dcc8a35a9bd821c53fb7dcca474ac7f0c84d3c6451e9f778

  • SHA512

    124f6fb9812fe56fc9428a53206e67ada7a5221bbac08204c52fc9df970a492f133ac3911b1cfd2a76c58b8921580f58b2f8d32db7395442549bdfefafc3bfab

  • SSDEEP

    393216:LOh37DR+wwmOoDxRz016TCORfagi8boLH6fQmQa9T1AE0Grq:g/FRxRzlRfPeLajLlg

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://files.catbox.moe/fvl5hy.jpg

Extracted

Family

njrat

Version

0.7d

Botnet

fr

C2

francia.ydns.eu:5553

Mutex

8721754955d2136ee214cac4b72b7338

Attributes
  • reg_key

    8721754955d2136ee214cac4b72b7338

  • splitter

    |'|'|

Extracted

Family

wshrat

C2

http://francia.ydns.eu:8000

Targets

    • Target

      14052163e50c197697c64b1431b42271.exe

    • Size

      17.6MB

    • MD5

      14052163e50c197697c64b1431b42271

    • SHA1

      df301332faa73c3d5f915fde61df2fc9de21a61a

    • SHA256

      4e0ddcd303f27c01dcc8a35a9bd821c53fb7dcca474ac7f0c84d3c6451e9f778

    • SHA512

      124f6fb9812fe56fc9428a53206e67ada7a5221bbac08204c52fc9df970a492f133ac3911b1cfd2a76c58b8921580f58b2f8d32db7395442549bdfefafc3bfab

    • SSDEEP

      393216:LOh37DR+wwmOoDxRz016TCORfagi8boLH6fQmQa9T1AE0Grq:g/FRxRzlRfPeLajLlg

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v6

Tasks