Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10ABO.exe
windows7-x64
8ABO.exe
windows10-2004-x64
8ABO.exe
windows7-x64
8ABO.exe
windows10-2004-x64
10Adobe.exe
windows7-x64
8Adobe.exe
windows10-2004-x64
10CGserver.exe
windows7-x64
10CGserver.exe
windows10-2004-x64
10COON.exe
windows7-x64
10COON.exe
windows10-2004-x64
8FFA.exe
windows7-x64
10FFA.exe
windows10-2004-x64
8FIle Rustyz bot.exe
windows7-x64
8FIle Rustyz bot.exe
windows10-2004-x64
8FrostBot v1.exe
windows7-x64
10FrostBot v1.exe
windows10-2004-x64
10Google.exe
windows7-x64
10Google.exe
windows10-2004-x64
10MORPH_9359...79.exe
windows7-x64
3MORPH_9359...79.exe
windows10-2004-x64
3Mycrypt.exe
windows7-x64
8Mycrypt.exe
windows10-2004-x64
10PortChecker.exe
windows7-x64
8PortChecker.exe
windows10-2004-x64
10R.exe
windows7-x64
10R.exe
windows10-2004-x64
10RSBOT.exe
windows7-x64
RSBOT.exe
windows10-2004-x64
Rustyz.exe
windows7-x64
8Rustyz.exe
windows10-2004-x64
10Rustyzzbot.exe
windows7-x64
8Rustyzzbot.exe
windows10-2004-x64
1General
-
Target
4da9865240bd15b59025e9adcce95041
-
Size
3.6MB
-
Sample
240109-hwj1lshdam
-
MD5
4da9865240bd15b59025e9adcce95041
-
SHA1
aab7bae83afe0211b7bf41628f44e1edf699d28c
-
SHA256
b2b1f374822e760b574cff680d989d0f229bdaf9029acacb2449162b92bbc16b
-
SHA512
3dc7df2d520eddc23e98337537a110ed5969222cdff76d5c7e83cffbbbf987431e09df91781789020019c32981c509e36535a74bc1913a7f5ac16359c6810ef9
-
SSDEEP
98304:GKZWKZc2golKZ8L2djKbqFYNn1bPoxMk5Aq1boWoN7:GKMKu2DlKVWbqNxpoN7
Behavioral task
behavioral1
Sample
ABO.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ABO.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
ABO.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
ABO.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
Adobe.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
Adobe.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
CGserver.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
CGserver.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
COON.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
COON.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
FFA.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
FFA.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
FIle Rustyz bot.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
FIle Rustyz bot.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
FrostBot v1.exe
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
FrostBot v1.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
Google.exe
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
Google.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
MORPH_93594C2E8879.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
MORPH_93594C2E8879.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral21
Sample
Mycrypt.exe
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
Mycrypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
PortChecker.exe
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
PortChecker.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
R.exe
Resource
win7-20231129-en
Behavioral task
behavioral26
Sample
R.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral27
Sample
RSBOT.exe
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
RSBOT.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
Rustyz.exe
Resource
win7-20231129-en
Behavioral task
behavioral30
Sample
Rustyz.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral31
Sample
Rustyzzbot.exe
Resource
win7-20231215-en
Behavioral task
behavioral32
Sample
Rustyzzbot.exe
Resource
win10v2004-20231222-en
Malware Config
Extracted
cybergate
v1.04.8
remote
fearrusty.no-ip.info:82
0DO30B5W0TAO3W
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
Facebook.com
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
Extracted
cybergate
v1.07.5
Cyber
op9.no-ip.biz:100
H6Y643Q6J85D62
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
iTunes.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
Extracted
cybergate
v1.02.0
remote
fearrusty.no-ip.info:82
127.0.0.1:999
op9.no-ip.biz:82
L0J8X1U03TC2TJ
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
csrss.exe
-
install_dir
install
-
install_file
iTunes.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
12345
Targets
-
-
Target
ABO.exe
-
Size
283KB
-
MD5
650f9f3426d6e9d5f2d93c638eb2c44c
-
SHA1
925d0ab1a27ea91bc018c167435809b6908c3b97
-
SHA256
6e7d83e76ecbd7f1a860aca8b5f6bd19c0aa730bd4f884a7e683716fa66900d6
-
SHA512
4b1925996850886e3e423a81fb5d54002c3809d2244a4282784840db568be28728b45a6ac451537a2216b4c4cb7d95ac6b71ac66e34ef7935080804436144eda
-
SSDEEP
6144:N4ABF94NpAuO/50BTnqPd0Mpz7qhh4nXjjf8MZ9BKXK+:WUxGLE0kuGnESB+
Score8/10-
Adds policy Run key to start application
-
Modifies Installed Components in the registry
-
-
-
Target
ABO.exe.1
-
Size
283KB
-
MD5
650f9f3426d6e9d5f2d93c638eb2c44c
-
SHA1
925d0ab1a27ea91bc018c167435809b6908c3b97
-
SHA256
6e7d83e76ecbd7f1a860aca8b5f6bd19c0aa730bd4f884a7e683716fa66900d6
-
SHA512
4b1925996850886e3e423a81fb5d54002c3809d2244a4282784840db568be28728b45a6ac451537a2216b4c4cb7d95ac6b71ac66e34ef7935080804436144eda
-
SSDEEP
6144:N4ABF94NpAuO/50BTnqPd0Mpz7qhh4nXjjf8MZ9BKXK+:WUxGLE0kuGnESB+
-
Adds policy Run key to start application
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
Adobe.exe
-
Size
296KB
-
MD5
eea330542ac27446cf64b44d471b3a39
-
SHA1
58f0ce5d435a55996c73df6a3a4ba5e1046a289d
-
SHA256
415f00cda1dd9f55669b2b0ebe6488f23e079723c75da3d78277d80683615ddd
-
SHA512
c67925e19c3fdd55d1da2ed3833d967437907a458f32fec4963a8aa5d863ae4d195fe2bd3547e7e428558e8c2169148a4897dcbf2f3ecf5f0f6ff65058d66ffe
-
SSDEEP
6144:/OpslFlq2hdBCkWYxuukP1pjSKSNVkq/MVJbJ:/wsl/TBd47GLRMTbJ
-
Adds policy Run key to start application
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
CGserver.exe
-
Size
264KB
-
MD5
94ae6b1aeef3dffc6b6e2ca472191f39
-
SHA1
cbbbe4b517bf30ce526444870d41307825688884
-
SHA256
bc86c552a4043dd054e346ce889fc577f4fe7f70ec796652f64bd8edaf14a50a
-
SHA512
3b8831d15fd3f14f7c33df27169eaf7e13329c6772d5306be8d01667f64f314354ade90349bb309e8f8a3519786c3ba2a9c78f15c8c783fc7d43685d409fd9ad
-
SSDEEP
6144:ukkojivbTsgtMX+UHalwvzYJMAZvRiBxta8nm3suAK:xk9syMX+k4wvz58R6xtTctAK
-
Adds policy Run key to start application
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
COON.exe
-
Size
283KB
-
MD5
08b1c9f40dab18bfb54311b61bca4cda
-
SHA1
c22d856fe1e40e44528ef221d852facd4b2c7e1b
-
SHA256
51e9015ca0103b4abbed0f6d85d693d6b6c081bda99fcf2d0ad24ba96cbb3e46
-
SHA512
610035f9af23d07817fc12953bdf6f0283497abedd18b8e62e7c062968f863512101b2b4d2a184e2a655a8184861aa2b41b50ae5f1e64f09293c712843951671
-
SSDEEP
6144:N4ABF94zpAuO/50BTnqPd0Mpz7qhh4nXjjf8MZ9BKXK+:WUHGLE0kuGnESB+
-
Adds policy Run key to start application
-
Modifies Installed Components in the registry
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
FFA.exe
-
Size
652KB
-
MD5
7589fe75123045e6f30eab511e55bc3a
-
SHA1
34e473bb2385e923feccb4aa5375a56924893a31
-
SHA256
747f15512f3b04420d0bc2264192fb1f8a4cdf81993afb191ae835d86b650cd8
-
SHA512
fba1f53b6c2e8954e906ba2343e2b1a9f0f88ae69df0eab567af3ece4bc93d6b5291cc55e0aaf2b3d7e7d4e5457ac95eaacbd027425e3fff9df467e28627adcf
-
SSDEEP
12288:sRvnERMs3azRIMbcr6ZwchpZJmdhBPrx4PkAd5EBgv5gBjl:s5nm3fe5bMprx4c05EBgxgb
Score10/10-
Modifies WinLogon for persistence
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
FIle Rustyz bot.exe
-
Size
592KB
-
MD5
9975548eab59876a15169a056766b298
-
SHA1
4fedf79abf2c9c42720651d41290874aeb65669b
-
SHA256
ab41d268755d89e45bd724912a8ef248b75ea3a877217718561e81d8785adde8
-
SHA512
769d7c8378c2ebcdbacf040fcf73e1940fd479edcace1a1348330720725db580c1a10d05397a4429e66d0b2fbb2dfebe4c73e7ac5de496f53f8d46779586b886
-
SSDEEP
12288:0DGP2qDSgnZ6nf+A7OmRQqk7RsQOBxSK4XajQYt:0Keqof3AXASXKt
Score8/10-
Adds policy Run key to start application
-
Modifies Installed Components in the registry
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
FrostBot v1.exe
-
Size
264KB
-
MD5
cf1bbacd8ef9fec5e72137d3da543401
-
SHA1
5cd65d1c0c3b8e8d69e9dd7807c1a19c7b277b42
-
SHA256
6c650bcd3dd6accac5cae23ed42af2a6f57d936329a8e51ee710cb9cd2e2f3f3
-
SHA512
b0c451f371f6f9e616211b0e9489c11c1a28b4a60f318f2f08889a85628f1e74a9110591da64a54a14d13f25cd8dca8ee0b587fca7649ac40321cebdbcaa0b94
-
SSDEEP
6144:Xkkog1WPDJpu1DxZXn/GmVuXNTaGFtWJtk/WgGF7hK:0kd1GDJM13+dXNTvt6ikK
-
Adds policy Run key to start application
-
Modifies Installed Components in the registry
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
Google.exe
-
Size
264KB
-
MD5
94ae6b1aeef3dffc6b6e2ca472191f39
-
SHA1
cbbbe4b517bf30ce526444870d41307825688884
-
SHA256
bc86c552a4043dd054e346ce889fc577f4fe7f70ec796652f64bd8edaf14a50a
-
SHA512
3b8831d15fd3f14f7c33df27169eaf7e13329c6772d5306be8d01667f64f314354ade90349bb309e8f8a3519786c3ba2a9c78f15c8c783fc7d43685d409fd9ad
-
SSDEEP
6144:ukkojivbTsgtMX+UHalwvzYJMAZvRiBxta8nm3suAK:xk9syMX+k4wvz58R6xtTctAK
-
Adds policy Run key to start application
-
Modifies Installed Components in the registry
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
MORPH_93594C2E8879.EXE
-
Size
185KB
-
MD5
d0b8d51565528b23a4d3727b395dcc67
-
SHA1
1ba2426be4351645bee5ea613d23c0cd7adf8bb6
-
SHA256
f0786dc9282a746b73606774a6a76bb947f29b130e3647b49fedd644c7aeeeef
-
SHA512
afef7b668a5a84f4a5e8df3e0ba29e649308910a6cbb82fdf6e6d2e46a1df7df81c371db254d22d3e6353944cbb1fa8cfd1a9b8c9e5422084ff8eab429ac8f58
-
SSDEEP
3072:zPba0Z7gARaH7iLvfwH7t3NpaLzoqVe1Lxp4vrMrXBNFPKJ0FjiI:60NRaGLvfwbPYU92IzBN1oEjf
Score3/10 -
-
-
Target
Mycrypt.exe
-
Size
228KB
-
MD5
a35e683f7392d7aa6be1ac5d325a0584
-
SHA1
7b2a3dfd0579ec4a9f61e45994a48881ebb91b49
-
SHA256
85fac218aabc9a6d08380d6f4fbe07818c5f7c8dc1f630bb849ab5681c83d7de
-
SHA512
7c94c1f19f793d7efe251d9c0c4df900a10b8b85a36da9c883fce2b511f5f65d107d09be777efa92a3be6c0bdd38c302acd024ee48cf836889f79dfabb069470
-
SSDEEP
3072:R26et7TW3+lXSittze7GjsZCc8dexm1qX2Gqfkz297vslPCTjUB9LQdItu:R2BTW6ji7ZCc8dMOqX2Gb29AlPn9Mx
Score10/10-
Modifies WinLogon for persistence
-
Modifies Windows Firewall
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
PortChecker.exe
-
Size
128KB
-
MD5
f9e1db23e7a2293a089963351994208d
-
SHA1
dd60e6052959bf6787e035ce4122f4b9f461ce14
-
SHA256
27a739ca787fa265624d3ab8a5311a0e0f7d39c79c3c5365aff25159b0bb8dd4
-
SHA512
7058767d13fc57534f437b6c077d70ced53a0a8f53a03259dc3cc513ab07809c04303db649ba368b67bddee854f78c8570aa46d5f468720caa26696a8d70bc8e
-
SSDEEP
1536:KENNZHJxxl+LxcZDWAy3OgHEtIyAq3Hoa35ecoNVkSQLVz4ZkNfG:pNHHgKZ4Et5lTRoNO5VEZkNe
Score10/10-
Modifies WinLogon for persistence
-
Modifies Windows Firewall
-
Deletes itself
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
R.exe
-
Size
264KB
-
MD5
cf1bbacd8ef9fec5e72137d3da543401
-
SHA1
5cd65d1c0c3b8e8d69e9dd7807c1a19c7b277b42
-
SHA256
6c650bcd3dd6accac5cae23ed42af2a6f57d936329a8e51ee710cb9cd2e2f3f3
-
SHA512
b0c451f371f6f9e616211b0e9489c11c1a28b4a60f318f2f08889a85628f1e74a9110591da64a54a14d13f25cd8dca8ee0b587fca7649ac40321cebdbcaa0b94
-
SSDEEP
6144:Xkkog1WPDJpu1DxZXn/GmVuXNTaGFtWJtk/WgGF7hK:0kd1GDJM13+dXNTvt6ikK
-
Adds policy Run key to start application
-
Modifies Installed Components in the registry
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
RSBOT.exe
-
Size
917B
-
MD5
5076a2f51f15fb1c1c8e9a53c3f7d75c
-
SHA1
1484b075977db4eea49d56ba4aa2a222afa158af
-
SHA256
1f546772433db3cf1f04cb7af5bd724190f6dbd274a6cfd3f82b6bb1c46edae5
-
SHA512
32ddc204effeb81f69a0f9dac64133ec72e90e3826ba73b3dbe563ca77e40105542eebb92ec25da5eae09af83591ead5f376ebac073d30653fca5dfda20763b6
Score1/10 -
-
-
Target
Rustyz.exe
-
Size
120KB
-
MD5
72bcd7f24413629f6b194c718af7b39e
-
SHA1
8495ab957722ea594b4a45a8a7522b9a24d23988
-
SHA256
43a8ced5b270b43b025b166f5069446de5c15479dcb049034f7db073153ebce4
-
SHA512
d5c9f01857e20fef93a8dc2e854bd3d18cf4c8d712eb6bf416f740c2e17eb14d9afa7eb9afb9241261bbfb07ab066447f6b22c9f78b815416d392329265a5213
-
SSDEEP
1536:94WHOJOV+P1tMZw1pSqvarF8TfHlo6nu/dhIo7RkSQAVE4Zks:94nzHn1nHllnu/co7aGV3Zks
Score10/10-
Modifies WinLogon for persistence
-
Modifies Windows Firewall
-
Deletes itself
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
Rustyzzbot.exe
-
Size
128KB
-
MD5
f9e1db23e7a2293a089963351994208d
-
SHA1
dd60e6052959bf6787e035ce4122f4b9f461ce14
-
SHA256
27a739ca787fa265624d3ab8a5311a0e0f7d39c79c3c5365aff25159b0bb8dd4
-
SHA512
7058767d13fc57534f437b6c077d70ced53a0a8f53a03259dc3cc513ab07809c04303db649ba368b67bddee854f78c8570aa46d5f468720caa26696a8d70bc8e
-
SSDEEP
1536:KENNZHJxxl+LxcZDWAy3OgHEtIyAq3Hoa35ecoNVkSQLVz4ZkNfG:pNHHgKZ4Et5lTRoNO5VEZkNe
Score8/10-
Modifies Windows Firewall
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1