Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

a47e4ba579...9e.exe

windows7-x64

10

a47e4ba579...9e.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a47e4ba5794dfd910a1402833d5f379e

  • Size

    3.9MB

  • Sample

    240225-yzs1pabb67

  • MD5

    a47e4ba5794dfd910a1402833d5f379e

  • SHA1

    37963628fd5ef4fbf99e03145374a31c99e54685

  • SHA256

    723e570331aa3284a7b94f247edd6c395df4dc0f55f1d263f418207c28ef0dbe

  • SHA512

    a0f1ae2333b8ba2d1fb4003ff35d71d2be1e7805d7d91363603b59083236a70b8f71288b10411bf0e1155fd300e55fa174952a7ac552bbffe21842048d9c9b95

  • SSDEEP

    98304:yZQHaZj1nYFguGgVS1HcjTUYCPENx9wX8/gH28y14PsgjlbD3h:yZQGnAguGQS1Hc3UYP9d4W8y14BlbLh

Score
10/10
cryptbotnullmixerprivateloaderredlinesectopratsmokeloadervidar706pab3pub5aspackv2backdoordiscoverydropperinfostealerloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

nullmixer

C2

http://hsiens.xyz/

Extracted

Family

privateloader

C2

http://37.0.10.214/proxies.txt

http://37.0.10.171/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.185

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

redline

Botnet

pab3

C2

185.215.113.15:61506

Extracted

Family

vidar

Version

40

Botnet

706

C2

https://lenak513.tumblr.com/

Attributes
  • profile_id

    706

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/
rc4.i32
1
0x3b22e540
rc4.i32
1
0xa6b397e0

Extracted

Family

cryptbot

C2

knurxh28.top

moraku02.top
Attributes
  • payload_url

    http://sargym03.top/download.php?file=lv.exe

Targets

    • Target

      a47e4ba5794dfd910a1402833d5f379e

    • Size

      3.9MB

    • MD5

      a47e4ba5794dfd910a1402833d5f379e

    • SHA1

      37963628fd5ef4fbf99e03145374a31c99e54685

    • SHA256

      723e570331aa3284a7b94f247edd6c395df4dc0f55f1d263f418207c28ef0dbe

    • SHA512

      a0f1ae2333b8ba2d1fb4003ff35d71d2be1e7805d7d91363603b59083236a70b8f71288b10411bf0e1155fd300e55fa174952a7ac552bbffe21842048d9c9b95

    • SSDEEP

      98304:yZQHaZj1nYFguGgVS1HcjTUYCPENx9wX8/gH28y14PsgjlbD3h:yZQGnAguGQS1Hc3UYP9d4W8y14BlbLh

    Score
    10/10
    nullmixerprivateloaderredlinesectopratsmokeloadervidar706pab3pub5aspackv2backdoordropperinfostealerloaderpersistenceratstealertrojan

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

    • Target

      setup_installer.exe

    • Size

      3.9MB

    • MD5

      b3201d8994eb1f00ba141c7f13cbd036

    • SHA1

      f2678197bcab129b5a037e058bf3be75428b3e6a

    • SHA256

      43ae9cca6b997c4b73fc8ac92f9ee8065dc15d1acbaa09b81a24ef6a9bcf1f16

    • SHA512

      5e1e1f6b23e2fb381da51d77aa10b907a4b08a491322daa54e697b9efc5a8a4c925c8677140b80dab5494db8c7dff6f6a9482a0a36b3abaacbedbb2caf0ba779

    • SSDEEP

      98304:xQCvLUBsg3wJRTfYkoKXUAg4QRmJfPuTNRqGO3K:xtLUCg3CBHIVRqKzO3K

    Score
    10/10
    cryptbotnullmixerprivateloaderredlinesectopratsmokeloadervidar706pab3pub5aspackv2backdoordiscoverydropperinfostealerloaderpersistenceratspywarestealertrojan

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • CryptBot payload

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • Modifies Installed Components in the registry

      persistence

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.