Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ef341e1a40b36fd78da2d13e8097015697630cd505b8eb8ad83df1aa46664eac.zip

  • Size

    972KB

  • Sample

    240219-q1gp2seb79

  • MD5

    7190bcedd54762250ab70245b17e88a5

  • SHA1

    4e9144739518cc2a0a89c75bb4be55be44a0a814

  • SHA256

    997bdf3efeccba5e6dfce9da65b24d317143e8f400371039a072d7c5794defd0

  • SHA512

    ae328f3ac0381310c5746fdd6bf3ebae2c994d7436096795be8f660acdff8a7fdf95cd96bd6fed098ac7725f2136e31351cfc012c0e85090e200a52c770ba0d5

  • SSDEEP

    24576:ptYBMf+6Wtlga4oUy741KkoAXeegzmXflqBbaOEdF8/AAJ1nCF+:ptYBCq5zUICoJjylqKFuAAJJw+

Malware Config

Targets

    • Target

      KYC_FORM_INCORRECT_ADDRESS.bat

    • Size

      7.2MB

    • MD5

      61637d3e7a53bd64315206e11bf95232

    • SHA1

      3e79ab07e84308d7cb960c0713c72d1017b743ab

    • SHA256

      473b5644baac3f8f574e40eca678b03e249f8f817f2add0ab13af6d2546e65d4

    • SHA512

      6a037181fbd049ec8ac3d34414bfd2249cc6db15ce11b171f37f1321ac7353e2e41d3aeda1b2bcfea2b18d386aae1ea568d28bb32b9f6b207ef604d6d0120d53

    • SSDEEP

      24576:jP+t895DoY73i1hELFq10l4AhwS/uCP6APFmDRcoybgxZfbJhgVQ5y0i+p70cZDC:jj9hoKy1IG0yu/rPbADoglhgf0i+m

    • Detect ZGRat V1

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • ModiLoader Second Stage

    • Creates new service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks