Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    BridgeReview_protected.exe

  • Size

    2.8MB

  • Sample

    230709-qnls8sda78

  • MD5

    fefd90a570c93a0a2ec4838ad5e077f0

  • SHA1

    81c0a7c797cd74e639ff97ecbdfba368549c6bb2

  • SHA256

    bb7f46fde76addee53d6e9765b4b55e440698cfed873d01547f7eb43e16a38f5

  • SHA512

    f32011517dbe54fce044da65fca1663e3e82acc0fa2443c69e6f3d0fc461f0bf2b512f4450dec0ad281a2a5f4f7abfbe20423843c10fb6d36e558a2e4e34b3d5

  • SSDEEP

    49152:Y9JYJBVie9pMadBi6ZGLXIE/3sT1DS8f9rIxCpSvHusz6fm26n9qdMg4B7i6:zJB/bbiBI31D5f9PkvOaPnDB7i6

Score
10/10

Malware Config

Targets

    • Target

      BridgeReview_protected.exe

    • Size

      2.8MB

    • MD5

      fefd90a570c93a0a2ec4838ad5e077f0

    • SHA1

      81c0a7c797cd74e639ff97ecbdfba368549c6bb2

    • SHA256

      bb7f46fde76addee53d6e9765b4b55e440698cfed873d01547f7eb43e16a38f5

    • SHA512

      f32011517dbe54fce044da65fca1663e3e82acc0fa2443c69e6f3d0fc461f0bf2b512f4450dec0ad281a2a5f4f7abfbe20423843c10fb6d36e558a2e4e34b3d5

    • SSDEEP

      49152:Y9JYJBVie9pMadBi6ZGLXIE/3sT1DS8f9rIxCpSvHusz6fm26n9qdMg4B7i6:zJB/bbiBI31D5f9PkvOaPnDB7i6

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks