Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    6d6a4533ce9fb518e1fe891fc8fa9ad51e4dec6d1ff024ebf24c390656c3e5c7

  • Size

    380KB

  • MD5

    2dbb89972bc9b697a46b6852cccfa35b

  • SHA1

    64476be44b2693aeced74ad499257751fe9b961f

  • SHA256

    6d6a4533ce9fb518e1fe891fc8fa9ad51e4dec6d1ff024ebf24c390656c3e5c7

  • SHA512

    6cdd0c70d2584f16f672a2a0925f04da82d5dcfb02362f0d60a0dc581d2de9ffef746ce7db597a39749350019fbf62d9c430e8dd4d688a6b2e9f389802d389ad

  • SSDEEP

    6144:aAgVsBSj9evYwdtYxTrXlNs6ivcQKXF2yEQDr0LdaAtUNT:aRP9evYCt4X4bgs8

Score
10/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

665745135

C2

http://yelp.com:443/gp/aj/private/reviewsGallery/get-application-resources

http://bbc.com:443/api2/json/cluster/resources

http://nytimes.com:443/en-us/p/onerf/MeSilentPassport

http://dictionary.com:443/en-us/p/onerf/MeSilentPassport

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    yelp.com,/gp/aj/private/reviewsGallery/get-application-resources,bbc.com,/api2/json/cluster/resources,nytimes.com,/en-us/p/onerf/MeSilentPassport,dictionary.com,/en-us/p/onerf/MeSilentPassport

  • http_header1

    AAAACgAAAJBBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2VkL3Y9YjM7cT0wLjkAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjkAAAAKAAAAIkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIAAAAHAAAAAAAAAAgAAAAPAAAAAwAAAAIAAAAtZGlzcGxheS1jdWx0dXJlPWVuO2NoZWNrPXRydWU7bGJjcz0wO3Nlc3MtaWQ9AAAAAQAAACA7U0lEQ0M9QU4wLU5SWTRjSkdLOU9sQWU7VG1tdjQ9QwAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAJBBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2VkL3Y9YjM7cT0wLjkAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjkAAAAKAAAAIkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIAAAAHAAAAAAAAAA8AAAANAAAAAgAAAARzZXMtAAAABQAAAAJwcQAAAAcAAAABAAAACAAAAA8AAAANAAAAAgAAACl7ImxvY2FsZSI6ImVuIiwiY2hhbm5lbCI6InByb2QiLCJhZGRvbiI6IgAAAAEAAAACIn0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    23040

  • polling_time

    15000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\WerFault -a

  • sc_process64

    %windir%\sysnative\WerFault -a

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCKpYKHPTr/o+ua/PTe9MpUMy6X0Y2z5l6FBVcrB9Ldm7LHyNkAYH/+neG1nN0l7A9Wd8e2xeRf+xsnhEAXrQ6wJPBx3GTBygGwcp2+25nd46vIOZBsMsSPNdyR7gj7LVabULJUMAKEfhO8i1ruciX5Uz/LI4FnAlUDYdZ8xdT/VwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.0086976e+09

  • unknown2

    AAAABAAAAAEAAAADAAAAAgAAAFQAAAADAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /1.5/95648064/storage/tabs

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    665745135

Signatures

  • Cobaltstrike family
  • Unsigned PE 1 IoCs

    Checks for missing Authenticode signature.

Files

  • 6d6a4533ce9fb518e1fe891fc8fa9ad51e4dec6d1ff024ebf24c390656c3e5c7
    .exe windows x86


    Headers

    Sections

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.