Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
file_x64x86.rar
-
Size
10.5MB
-
Sample
240314-qsf4jsfd42
-
MD5
c0e2e876025cff704f44762e4eef46df
-
SHA1
53cfde674e868429276dca6c9c4e783ff98b9a8f
-
SHA256
ce143c9fbf5934660cd61c63796aa00759b07ea5d65b66cd2c05e85239781ad8
-
SHA512
3c1a3ff3c74b16e1e2c3199f27770ec11fb92d7c2718ee2b0cccbb2c03e8017f3b41ca1d3c08ce03c0e5b594a361de920f7ab08d5722e07e8555c2908c76a694
-
SSDEEP
196608:XSbIWDiYJg1Z3mG//s6tgqRHqCo7eE8Aj5hjeeEit7w8AmxaPcaY9fTE:WTiYe1Z3ms06tg8H5OC8Gp/Y54
Static task
static1
Behavioral task
behavioral1
Sample
file_x64x86.rar
Resource
win10-20240221-en
Behavioral task
behavioral2
Sample
file_x64x86.rar
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
file_x64x86.rar
Resource
win11-20240221-en
Malware Config
Extracted
risepro
193.233.132.74:50500
Extracted
vidar
8.3
bb37828d665bba566345f9103d47fb2b
https://steamcommunity.com/profiles/76561199651834633
https://t.me/raf6ik
-
profile_id_v2
bb37828d665bba566345f9103d47fb2b
-
user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Extracted
vidar
8.3
0ec692ca895b5b64eae7b06fc17c432d
https://steamcommunity.com/profiles/76561199651834633
https://t.me/raf6ik
-
profile_id_v2
0ec692ca895b5b64eae7b06fc17c432d
-
user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Extracted
tofsee
vanaheim.cn
jotunheim.name
Extracted
smokeloader
pub3
Extracted
stealc
http://185.172.128.210
-
url_path
/f993692117a3fda2.php
Targets
-
-
Target
file_x64x86.rar
-
Size
10.5MB
-
MD5
c0e2e876025cff704f44762e4eef46df
-
SHA1
53cfde674e868429276dca6c9c4e783ff98b9a8f
-
SHA256
ce143c9fbf5934660cd61c63796aa00759b07ea5d65b66cd2c05e85239781ad8
-
SHA512
3c1a3ff3c74b16e1e2c3199f27770ec11fb92d7c2718ee2b0cccbb2c03e8017f3b41ca1d3c08ce03c0e5b594a361de920f7ab08d5722e07e8555c2908c76a694
-
SSDEEP
196608:XSbIWDiYJg1Z3mG//s6tgqRHqCo7eE8Aj5hjeeEit7w8AmxaPcaY9fTE:WTiYe1Z3ms06tg8H5OC8Gp/Y54
-
Detect Vidar Stealer
-
Detect ZGRat V1
-
Glupteba payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Creates new service(s)
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Virtualization/Sandbox Evasion
1