Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f
-
Size
82KB
-
Sample
231102-d5nypsff9w
-
MD5
e3571a16f67482e4614ea047b9d7f1e7
-
SHA1
27692eafcf957721e1935f52d23e4a92ff3ebc92
-
SHA256
ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f
-
SHA512
24d0c47e6e5784e5652d37c8f51d7cf2b6f912a626db18ed20dc004f9d4fe8bb8ee538ae66ea9c84a7e87b03668b36b14deeff7972af7e3876b1b7b3ce7f5370
-
SSDEEP
1536:v/aSQsL7NNm1eHeYFKi0BYyFkKp/qUOJ7WSTCsWzD2cdbwpWkr7ePpms:9QqG1geYF56FkBq8gD3bOWkraPpm
Static task
static1
Behavioral task
behavioral1
Sample
ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f.dll
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f.dll
Resource
win10v2004-20231023-en
Malware Config
Extracted
metasploit
windows/download_exec
http://101.34.222.38:8081/JsFY
- headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; BOIE9;ENUS)
Extracted
cobaltstrike
391144938
http://101.34.222.38:8081/load
-
access_type
512
-
host
101.34.222.38,/load
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
8081
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3NwQWsqvq+XSFe/EjAzMJhY8xqwi14YBYjK+/ja1RTMe1mfTBtCoTyS8zstORfS172w4dWmA+KR7xxEqz1J0ZtIXjGjWtRlQiCIIqPHPAu0mbPckYHwu1xJkKqEaH9XqA5t5ZWgK93jZzFZkNLu7BKusiC9xxspe/QhRY4BvuZQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)
-
watermark
391144938
Targets
-
-
Target
ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f
-
Size
82KB
-
MD5
e3571a16f67482e4614ea047b9d7f1e7
-
SHA1
27692eafcf957721e1935f52d23e4a92ff3ebc92
-
SHA256
ebcd66cb4c54e23846bbe502a05564dfc71f6e412faeadc52a092c73eb7deb2f
-
SHA512
24d0c47e6e5784e5652d37c8f51d7cf2b6f912a626db18ed20dc004f9d4fe8bb8ee538ae66ea9c84a7e87b03668b36b14deeff7972af7e3876b1b7b3ce7f5370
-
SSDEEP
1536:v/aSQsL7NNm1eHeYFKi0BYyFkKp/qUOJ7WSTCsWzD2cdbwpWkr7ePpms:9QqG1geYF56FkBq8gD3bOWkraPpm
Score10/10-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request
-
Suspicious use of SetThreadContext
-