Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    1a1832d01da648109a9e6e530c96b2d6

  • Size

    588KB

  • Sample

    231230-qshblshfaq

  • MD5

    1a1832d01da648109a9e6e530c96b2d6

  • SHA1

    ac5b176e8882e5b2e63a267dcaf2584bd2a5dee9

  • SHA256

    e6f8559599f741c5c51425d32fe66103d669985ef697a4d3ad47066762cf3c2d

  • SHA512

    cd1d30d188c9ad9d63904e460ede16a0322d244c9127518beadfa9e6547137c5eff470a47a176476ae333a790fdfcd8cd069cb6f1f3981cba49371e52300c247

  • SSDEEP

    12288:FyHVRIMGGtpRbRi1H0xNYTpc0dbm2fABXBN4aCvvm1zq5:AVRIMGGtpxg6YG0dbm2fokkm

Malware Config

Extracted

Family

xtremerat

C2

finders.hopto.org

powned.no-ip.org

Targets

    • Target

      1a1832d01da648109a9e6e530c96b2d6

    • Size

      588KB

    • MD5

      1a1832d01da648109a9e6e530c96b2d6

    • SHA1

      ac5b176e8882e5b2e63a267dcaf2584bd2a5dee9

    • SHA256

      e6f8559599f741c5c51425d32fe66103d669985ef697a4d3ad47066762cf3c2d

    • SHA512

      cd1d30d188c9ad9d63904e460ede16a0322d244c9127518beadfa9e6547137c5eff470a47a176476ae333a790fdfcd8cd069cb6f1f3981cba49371e52300c247

    • SSDEEP

      12288:FyHVRIMGGtpRbRi1H0xNYTpc0dbm2fABXBN4aCvvm1zq5:AVRIMGGtpxg6YG0dbm2fokkm

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks