Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

malware.zip

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    malware.zip

  • Size

    75.2MB

  • Sample

    230916-rv1reaba91

  • MD5

    9c5d4fde9036434c02da795d079f0651

  • SHA1

    e57b24f74086c01f46b4d814688415c27a5e0068

  • SHA256

    ffb44a5388958cda3be00af5170e3fa51c5bc59e7b6ea659836417a17594d18c

  • SHA512

    1f956bf4f628553e88850d045cea9a5e09fb43c2a00b6311c4df2245535acfdaf6c5256ece4104df07ed9c69e15a033a2748ad2eaa4f17634ab6e8c32cffda0f

  • SSDEEP

    1572864:jO3K/oykFae+/XkNwJ3ncS9pLkFg4FR40rbvXFahEvRY/Qj:K3K/jkFLobLkl40PvXpK/q

Score
10/10
agentteslaauroradcratlaplasrhadamanthyssmokeloaderbackdoordiscoveryevasioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

laplas

C2

clipper.guru

Attributes
  • api_key

    5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e

Extracted

Family

rhadamanthys

C2

http://195.3.223.120/blob/fullidao.tk

http://195.3.223.120/blob/fulliano.tk

http://195.3.223.120/blob/luciano.tk

http://195.3.223.120/blob/gotto.tk

Extracted

Family

aurora

C2

185.239.239.194:8081

Extracted

Family

agenttesla

C2

https://discord.com/api/webhooks/1052047387167838281/ckxOZHqDK9Fs6wm9uehtyNosd3HZGLhQFPhbdBDnWi6cl945WnENSlc0bCmlN0xY5VHH

Extracted

Family

smokeloader

Version

2022

C2

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/
rc4.i32
rc4.i32

Targets

    • Target

      malware.zip

    • Size

      75.2MB

    • MD5

      9c5d4fde9036434c02da795d079f0651

    • SHA1

      e57b24f74086c01f46b4d814688415c27a5e0068

    • SHA256

      ffb44a5388958cda3be00af5170e3fa51c5bc59e7b6ea659836417a17594d18c

    • SHA512

      1f956bf4f628553e88850d045cea9a5e09fb43c2a00b6311c4df2245535acfdaf6c5256ece4104df07ed9c69e15a033a2748ad2eaa4f17634ab6e8c32cffda0f

    • SSDEEP

      1572864:jO3K/oykFae+/XkNwJ3ncS9pLkFg4FR40rbvXFahEvRY/Qj:K3K/jkFLobLkl40PvXpK/q

    Score
    10/10
    auroradcratsmokeloaderbackdoordiscoveryevasioninfostealerpersistenceratspywarestealertrojan

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

      stealeraurora

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

File and Directory Permissions Modification

1
T1222

Impair Defenses

1
T1562

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks