Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Dgc_se.exe

  • Size

    1.5MB

  • Sample

    230831-3q37hsbe28

  • MD5

    36afdb6136aa3dda6484583cbbf674b7

  • SHA1

    0e2378dbfcf0921d1ce2690a9164f3170ca2cb47

  • SHA256

    c27da32c7d176766975f8e7aae3e011efe1522336527f48d8ee4bcd28ca1922c

  • SHA512

    dae854e7a6db812e93d733195fe03c863dac3f78d4fa44b09ce19a3fb907ad2f81eff627e3933d81ea1a2b0079393c79a91296c0696e675c3d298d8a10c3ec04

  • SSDEEP

    24576:DFrr+pkCzK7/SMD2mqs51jR1s7MnmTaCYDBUU1bw5ekx1x4/b77QXWsmCPW4mq:Dh+pkCzHtmqsPE7I40dwekx12H7I9P

Malware Config

Extracted

Family

cobaltstrike

C2

http://103.101.204.59:8888/caPI

Attributes
  • user_agent

    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://103.101.204.59:8888/ptj

http://kong.riieco.eu.org:8888/pixel.gif

Attributes
  • access_type

    512

  • host

    103.101.204.59,/ptj,kong.riieco.eu.org,/pixel.gif

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • polling_time

    60000

  • port_number

    8888

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tPKs8MV4yIjJb5CtlrbKHjzP1oD/1AQsj6EKlEMFIKtakLx5+VybrMYE+dDdkDteHmVX0AeFyw001FyQVlt1B+OSNPRscKI5sh1L/ZdwnrMy6S6nNbQ5N5hls6k2kgNO5nQ7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)

  • watermark

    305419896

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Targets

    • Target

      Dgc_se.exe

    • Size

      1.5MB

    • MD5

      36afdb6136aa3dda6484583cbbf674b7

    • SHA1

      0e2378dbfcf0921d1ce2690a9164f3170ca2cb47

    • SHA256

      c27da32c7d176766975f8e7aae3e011efe1522336527f48d8ee4bcd28ca1922c

    • SHA512

      dae854e7a6db812e93d733195fe03c863dac3f78d4fa44b09ce19a3fb907ad2f81eff627e3933d81ea1a2b0079393c79a91296c0696e675c3d298d8a10c3ec04

    • SSDEEP

      24576:DFrr+pkCzK7/SMD2mqs51jR1s7MnmTaCYDBUU1bw5ekx1x4/b77QXWsmCPW4mq:Dh+pkCzHtmqsPE7I40dwekx12H7I9P

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks