Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d4bd84ab6a...78.exe

windows10-2004-x64

10

Resubmissions

19/03/2024, 10:46

240319-mvcmcsah4t 10

18/03/2024, 12:09

240318-pbenqagc97 10

17/03/2024, 13:27

240317-qqh55afc93 10

17/03/2024, 02:17

240317-cqtd7scf2x 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe

  • Size

    209KB

  • Sample

    240317-qqh55afc93

  • MD5

    2cb4d9235c8edfaeeedf9258177cec57

  • SHA1

    401520c963a302e4df292c032416febec06e5666

  • SHA256

    d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278

  • SHA512

    5d1059c1618e8cf1645a7775da743b02ef387d249c6b263e20ade68362ee06e43548293c1bb224719014618458b6bb6b00c7664fbea97b2414976ce980a8d950

  • SSDEEP

    3072:M4GZjvkqp4C/Khv97mrvw1F0Dz1yL9w1RBeg8+/yGYV:nGlvkqp4RSTwQwkRBeA

Score
10/10
dcratgluptebalummasmokeloadersocks5systemzvidarxmrigaadba0e623c9f7875c6a7402447d5a33backdoorbootkitbotnetdiscoverydropperevasioninfostealerloaderminerpersistenceratrootkitspywarestealertrojanupx

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php
rc4.i32
rc4.i32

Extracted

Family

vidar

Version

8.3

Botnet

aadba0e623c9f7875c6a7402447d5a33

C2

https://steamcommunity.com/profiles/76561199651834633

https://t.me/raf6ik
Attributes
  • profile_id_v2

    aadba0e623c9f7875c6a7402447d5a33

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0

Extracted

Family

lumma

C2

https://herdbescuitinjurywu.shop/api

https://colorfulequalugliess.shop/api

https://resergvearyinitiani.shop/api

https://deadpanstupiddyjjuwk.shop/api

Extracted

Family

socks5systemz

C2

http://cszqkvf.net/search/?q=67e28dd83d5cf57a4406a9177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978f571ea771795af8e05c647db22f31df92d8838ed12a666d307eca743ec4c2b07b52966923a6788f713c4e790

http://cszqkvf.net/search/?q=67e28dd83d5cf57a4406a9177c27d78406abdd88be4b12eab517aa5c96bd86ef9c8244825a8bbc896c58e713bc90c91836b5281fc235a925ed3e56d6bd974a95129070b614e96cc92be20ea478cc51bbe358b90d3b4eed3233d1626a8ff810c0e99d983fc56a

http://bozbmfe.com/search/?q=67e28dd83d5cf57a4406a9177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978f571ea771795af8e05c646db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608fff17c8ed91923d

http://bozbmfe.com/search/?q=67e28dd83d5cf57a4406a9177c27d78406abdd88be4b12eab517aa5c96bd86e894854a825a8bbc896c58e713bc90c91836b5281fc235a925ed3e56d6bd974a95129070b615e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee959c33cf6b9e10

Targets

    • Target

      d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe

    • Size

      209KB

    • MD5

      2cb4d9235c8edfaeeedf9258177cec57

    • SHA1

      401520c963a302e4df292c032416febec06e5666

    • SHA256

      d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278

    • SHA512

      5d1059c1618e8cf1645a7775da743b02ef387d249c6b263e20ade68362ee06e43548293c1bb224719014618458b6bb6b00c7664fbea97b2414976ce980a8d950

    • SSDEEP

      3072:M4GZjvkqp4C/Khv97mrvw1F0Dz1yL9w1RBeg8+/yGYV:nGlvkqp4RSTwQwkRBeA

    Score
    10/10
    dcratgluptebalummasmokeloadersocks5systemzvidarxmrigaadba0e623c9f7875c6a7402447d5a33backdoorbootkitbotnetdiscoverydropperevasioninfostealerloaderminerpersistenceratrootkitspywarestealertrojanupx

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect Vidar Stealer

      stealer

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socks5Systemz

      Socks5Systemz is a botnet written in C++.

      botnetsocks5systemz

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

      rootkitevasion

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

6
T1012

Remote System Discovery

1
T1018

System Information Discovery

6
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks