Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    aa3d40c34d88ebc024f798e3e5a720e6cd7f6f447cdfbbead1f0c5bba72d4312

  • Size

    5.4MB

  • Sample

    231011-mfm5jsae82

  • MD5

    380b17feab2c2dc51b7940a95295678e

  • SHA1

    d39bb6eabdf04e535737f77ef838f5ad6bdb4b6a

  • SHA256

    aa3d40c34d88ebc024f798e3e5a720e6cd7f6f447cdfbbead1f0c5bba72d4312

  • SHA512

    728c01575152a1b8637bba1db1078e3c66e8631351c18ec55c4356e26af1fcd16b5d9698058e4247b7e43c5090f173b19d81664b1c60b03b6e98cb3f6a278c3e

  • SSDEEP

    98304:c6te5FnoajcsPJRRCsA7J//OaHvQyqW9oe4+JOijZdMAuaKzG3gu5:c75ZxPJRRy7h/8yh13jZSAuaqGwC

Malware Config

Targets

    • Target

      aa3d40c34d88ebc024f798e3e5a720e6cd7f6f447cdfbbead1f0c5bba72d4312

    • Size

      5.4MB

    • MD5

      380b17feab2c2dc51b7940a95295678e

    • SHA1

      d39bb6eabdf04e535737f77ef838f5ad6bdb4b6a

    • SHA256

      aa3d40c34d88ebc024f798e3e5a720e6cd7f6f447cdfbbead1f0c5bba72d4312

    • SHA512

      728c01575152a1b8637bba1db1078e3c66e8631351c18ec55c4356e26af1fcd16b5d9698058e4247b7e43c5090f173b19d81664b1c60b03b6e98cb3f6a278c3e

    • SSDEEP

      98304:c6te5FnoajcsPJRRCsA7J//OaHvQyqW9oe4+JOijZdMAuaKzG3gu5:c75ZxPJRRy7h/8yh13jZSAuaqGwC

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks