Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    d334fdbe7080a9e36d94001903199491

  • Size

    10KB

  • Sample

    231014-es5alaaa89

  • MD5

    d334fdbe7080a9e36d94001903199491

  • SHA1

    5d10fa7e8de420744a3ad3358428f16e796c3c1a

  • SHA256

    20f0619336fb27994a740fb37794d83d027646bbf0d826d8b3542f042412a908

  • SHA512

    dc57151e73e2e23709a71fc608f6b2d9e7e2f1bbbc4999a3f80443fc3599e21cfedbb6dc735e9bcd6d3421e595dacd34be01375eda9c4a5348550b94349383ba

  • SSDEEP

    192:4ctzdkaK/n7bEbIn+qeDFcugX8P6J8stYcFwVc03KY:4y+p7bEbIn+rgX8yJptYcFwVc03K

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://193.42.32.29/9bDc8sQ/index.php

Attributes
  • install_dir

    1ff8bec27e

  • install_file

    nhdues.exe

  • strings_key

    2efe1b48925e9abf268903d42284c46b

rc4.plain

Targets

    • Target

      d334fdbe7080a9e36d94001903199491

    • Size

      10KB

    • MD5

      d334fdbe7080a9e36d94001903199491

    • SHA1

      5d10fa7e8de420744a3ad3358428f16e796c3c1a

    • SHA256

      20f0619336fb27994a740fb37794d83d027646bbf0d826d8b3542f042412a908

    • SHA512

      dc57151e73e2e23709a71fc608f6b2d9e7e2f1bbbc4999a3f80443fc3599e21cfedbb6dc735e9bcd6d3421e595dacd34be01375eda9c4a5348550b94349383ba

    • SSDEEP

      192:4ctzdkaK/n7bEbIn+qeDFcugX8P6J8stYcFwVc03KY:4y+p7bEbIn+rgX8yJptYcFwVc03K

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect rhadamanthys stealer shellcode

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Windows security bypass

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Windows security modification

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks